quasar | c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a | Triage

Submit
Reports

Overview

overview

Static

static

3

BILLI.exe

windows7-x64

BILLI.exe

windows10-2004-x64

Sharing

General

Target

BILLI.exe
Size

3.5MB
Sample

250131-ksja1stkam
MD5

0f8d3f0739a8356c4703d9afcf3c9e9e
SHA1

a188aab63cc7f889b17be4062c8f3ad9733f877e
SHA256

c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a
SHA512

42b007929164546ebf4278a4d9d1945be70be19181c7cb1be7e1c5ec3d7f43ff942a6d59e570612543bd5a8d87e763375d61c70548c9f2fb7a87da607b0987e1
SSDEEP

98304:mIELk8TSeoFjXY04O4ofnyzCiygp6R3op7ScQoijW9vICaOJF:J25CFc4jfny21+pfQoHP7

Score

10^/10

quasar billi discovery execution spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

BILLI.exe

Resource

win7-20240903-en

quasar billi discovery execution spyware trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

BILLI.exe

Resource

win10v2004-20250129-en

quasar billi discovery execution spyware trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

BILLI

C2

147.45.44.68:4782

Mutex

677eac75-4a16-45d2-8af0-7cc6e5e6d262

Attributes

encryption_key
04207FE1D5AAE79F92E5E13CC9126DCA530C7527
install_name
win32_svchost1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
win32_svchost
subdirectory
SubDir

Targets

- Target
  
  BILLI.exe
- Size
  
  3.5MB
- MD5
  
  0f8d3f0739a8356c4703d9afcf3c9e9e
- SHA1
  
  a188aab63cc7f889b17be4062c8f3ad9733f877e
- SHA256
  
  c27d4855b7f3649b8f12ef2b55ea2db28328c9b0a5bfe7724a6d2efb4fecfa8a
- SHA512
  
  42b007929164546ebf4278a4d9d1945be70be19181c7cb1be7e1c5ec3d7f43ff942a6d59e570612543bd5a8d87e763375d61c70548c9f2fb7a87da607b0987e1
- SSDEEP
  
  98304:mIELk8TSeoFjXY04O4ofnyzCiygp6R3op7ScQoijW9vICaOJF:J25CFc4jfny21+pfQoHP7
Score

10^/10

quasar billi discovery execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to execute payload.
  execution
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarbillidiscoveryexecutionspywaretrojan

behavioral2

quasarbillidiscoveryexecutionspywaretrojan

© 2018-2025

Terms | Privacy