quasar | a63181dff0f68b98712247f51c8a6e7761f8a84261928c297b12f438272c1492 | Triage

Sharing

General

Target

a63181dff0f68b98712247f51c8a6e7761f8a84261928c297b12f438272c1492.vbs
Size

1.6MB
Sample

250131-exm7wayjhs
MD5

7e0b7c6c89827a608664bf468d850933
SHA1

adcfcf643b371e24d79353f4f88231170229949f
SHA256

a63181dff0f68b98712247f51c8a6e7761f8a84261928c297b12f438272c1492
SHA512

ddfbaaaf6e7f06f5cbaa35e3b188064e71a6b4542185ecf71e0a89ed6411d98059c0b37b8ad3288b4029d5ddf870a3ad9f342fb521331ee1f39a2dad741778bd
SSDEEP

24576:PLOiXTUVNhZXj4TARZ3zRdIwEtiQXNosn/eYwv2FpZHFLKOJFErpvGcZqF:bINzTLgrSK/fJ7HpeYcy

Score

10^/10

quasar 2025 discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

2025

C2

ducksro.DUCKDNS.ORG:5

Mutex

1b9237ca-608d-47fd-ae80-bba1f4ba0322

Attributes

encryption_key
B61B5E36913EE1C537DD4B68B384FA4355C64906
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  a63181dff0f68b98712247f51c8a6e7761f8a84261928c297b12f438272c1492.vbs
- Size
  
  1.6MB
- MD5
  
  7e0b7c6c89827a608664bf468d850933
- SHA1
  
  adcfcf643b371e24d79353f4f88231170229949f
- SHA256
  
  a63181dff0f68b98712247f51c8a6e7761f8a84261928c297b12f438272c1492
- SHA512
  
  ddfbaaaf6e7f06f5cbaa35e3b188064e71a6b4542185ecf71e0a89ed6411d98059c0b37b8ad3288b4029d5ddf870a3ad9f342fb521331ee1f39a2dad741778bd
- SSDEEP
  
  24576:PLOiXTUVNhZXj4TARZ3zRdIwEtiQXNosn/eYwv2FpZHFLKOJFErpvGcZqF:bINzTLgrSK/fJ7HpeYcy
Score

10^/10

discovery execution persistence quasar 2025 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecutionpersistence

behavioral2

quasar2025discoveryexecutionpersistencespywaretrojan