quasar | f9265a0554ffd7971bacbd4335ab32109aa2f8ba7f70dba315f4e1f48674b990 | Triage

Submit
Reports

Overview

overview

Static

static

1

test.bat

windows10-ltsc 2021-x64

test.bat

windows11-21h2-x64

Sharing

General

Target

test.bat
Size

7.7MB
Sample

250205-ap2cba1pfq
MD5

22070488e8b05fa3d1555e35cb02e2c4
SHA1

17affd9bceb5b254a65f2b918008118b3e771f5d
SHA256

f9265a0554ffd7971bacbd4335ab32109aa2f8ba7f70dba315f4e1f48674b990
SHA512

2db6d0ea121b100e0a2d69d93062f794ef52332139f67355a808cdf4310265575b17e62e3a6b2fe306a4ed8879a781bd203fc18cda7c074e0ded57c79528f0e6
SSDEEP

49152:E1Knuw9suLZqlYvKn2jUftGqD68t0vgVuX3e/YI7G6YLgkHB6yNKvNBynnHeZhCN:P

Score

10^/10

quasar seroxen v15.0 | fifa23 defense_evasion discovery persistence spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

test.bat

Resource

win10ltsc2021-20250128-en

quasar seroxen v15.0 | fifa23 defense_evasion persistence spyware trojan

windows10-ltsc 2021-x64

29 signatures

900 seconds

Behavioral task

behavioral2

Sample

test.bat

Resource

win11-20241007-en

quasar seroxen v15.0 | fifa23 defense_evasion discovery spyware trojan

windows11-21h2-x64

32 signatures

900 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

v15.0 | Fifa23

C2

private123.duckdns.org:8808

dofucks.com:8808

Mutex

c398e98c-136e-4007-ab40-e179829f338c

Attributes

encryption_key
C84CB6134701741C5122A14FACDB67C8CFA9C0AB
install_name
.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$sxr-seroxen

Targets

- Target
  
  test.bat
- Size
  
  7.7MB
- MD5
  
  22070488e8b05fa3d1555e35cb02e2c4
- SHA1
  
  17affd9bceb5b254a65f2b918008118b3e771f5d
- SHA256
  
  f9265a0554ffd7971bacbd4335ab32109aa2f8ba7f70dba315f4e1f48674b990
- SHA512
  
  2db6d0ea121b100e0a2d69d93062f794ef52332139f67355a808cdf4310265575b17e62e3a6b2fe306a4ed8879a781bd203fc18cda7c074e0ded57c79528f0e6
- SSDEEP
  
  49152:E1Knuw9suLZqlYvKn2jUftGqD68t0vgVuX3e/YI7G6YLgkHB6yNKvNBynnHeZhCN:P
Score

10^/10

quasar seroxen v15.0 | fifa23 defense_evasion persistence spyware trojan discovery
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Seroxen family
  seroxen
- Seroxen, Ser0xen
  Seroxen or SeroXen aka Ser0Xen is a trojan fist disovered in late 2022.
  trojan seroxen
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

Clear Windows Event Logs

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarseroxenv15.0 | fifa23defense_evasionpersistencespywaretrojan

behavioral2

quasarseroxenv15.0 | fifa23defense_evasiondiscoveryspywaretrojan

© 2018-2025

Terms | Privacy