Overview

overview

10

Static

static

10

bazaar.202...nt.exe

windows7-x64

10

bazaar.202...nt.exe

windows10-2004-x64

10

bazaar.202...nt.exe

windows7-x64

10

bazaar.202...nt.exe

windows10-2004-x64

10

bazaar.202...nt.exe

windows7-x64

10

bazaar.202...nt.exe

windows10-2004-x64

10

bazaar.202...nt.exe

windows7-x64

10

bazaar.202...nt.exe

windows10-2004-x64

10

bazaar.202...nt.exe

windows7-x64

10

bazaar.202...nt.exe

windows10-2004-x64

10

bazaar.202...nt.exe

windows7-x64

10

bazaar.202...nt.exe

windows10-2004-x64

10

bazaar.202...nt.exe

windows7-x64

10

bazaar.202...nt.exe

windows10-2004-x64

10

bazaar.202...nt.exe

windows7-x64

10

bazaar.202...nt.exe

windows10-2004-x64

10

bazaar.202...nt.exe

windows7-x64

10

bazaar.202...nt.exe

windows10-2004-x64

10

bazaar.202...nt.exe

windows7-x64

10

bazaar.202...nt.exe

windows10-2004-x64

10

bazaar.202...fa.exe

windows7-x64

10

bazaar.202...fa.exe

windows10-2004-x64

10

bazaar.202...fa.exe

windows7-x64

10

bazaar.202...fa.exe

windows10-2004-x64

10

bazaar.202...fa.exe

windows7-x64

10

bazaar.202...fa.exe

windows10-2004-x64

10

bazaar.202...fa.exe

windows7-x64

10

bazaar.202...fa.exe

windows10-2004-x64

10

bazaar.202...fa.exe

windows7-x64

10

bazaar.202...fa.exe

windows10-2004-x64

10

bazaar.202...fa.exe

windows7-x64

10

bazaar.202...fa.exe

windows10-2004-x64

10

Resubmissions

03/02/2025, 21:57 UTC

250203-1t5hmsvmat 10

03/02/2025, 04:37 UTC

250203-e896saslgn 10

31/01/2025, 18:35 UTC

250131-w8gmxatmc1 10

Analysis

  • max time kernel
    126s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    31/01/2025, 18:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bazaar.2020.02/Trojan.MSIL.Agent.exe

  • Size

    347KB

  • MD5

    b2b351958075d91039a2e47203a3c9a0

  • SHA1

    c5965141602832439c8c59935c0bb0aed87ec642

  • SHA256

    c4682163181637eb17e174cc795eba8b094f6d6c76a60b14cdfa38ae7471c768

  • SHA512

    c8f64e29b1e056ac2d02638dd0e13b4fbaaa5dbd094a8b76c3610094e89869fbcae0335299615ccdf8b5c202a010873f3bc4cb7d64cefd6bd227623fcd767aca

  • SSDEEP

    3072:QnNL++0BS7cD00iKpyDcsvY8FhMYYCgxSoF7+H88uEThFcbW7yW2eNJKaozrdKwt:QNN0Y7E00iyhjv7+HoacbIz+kwA8

Score
10/10
quasaroffice04discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

192.168.1.100:4800

Mutex

QSR_MUTEX_7vNK4lP6dLGZATRF5p

Attributes
  • encryption_key

    eX0M9ongNkCF1Jahr6Fc

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\Trojan.MSIL.Agent.exe
    "C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\Trojan.MSIL.Agent.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1732

Network

  • flag-us
    DNS
    ip-api.com
    Trojan.MSIL.Agent.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json/
    Trojan.MSIL.Agent.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /json/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 31 Jan 2025 18:35:58 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • 208.95.112.1:80
    http://ip-api.com/json/
    http
    Trojan.MSIL.Agent.exe
    374 B
     640 B
     5
    4

    HTTP Request

    GET http://ip-api.com/json/

    HTTP Response

    200
  • 192.168.1.100:4800
    Trojan.MSIL.Agent.exe
    152 B
     3
  • 192.168.1.100:4800
    Trojan.MSIL.Agent.exe
    152 B
     3
  • 192.168.1.100:4800
    Trojan.MSIL.Agent.exe
    152 B
     3
  • 192.168.1.100:4800
    Trojan.MSIL.Agent.exe
    152 B
     3
  • 192.168.1.100:4800
    Trojan.MSIL.Agent.exe
    152 B
     3
  • 192.168.1.100:4800
    Trojan.MSIL.Agent.exe
    152 B
     3
  • 8.8.8.8:53
    ip-api.com
    dns
    Trojan.MSIL.Agent.exe
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1732-0-0x000000007466E000-0x000000007466F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1732-1-0x0000000000A90000-0x0000000000AEE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1732-2-0x0000000074660000-0x0000000074D4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1732-4-0x000000007466E000-0x000000007466F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1732-5-0x0000000074660000-0x0000000074D4E000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.