quasar | 314e9bbe1e43938595f774fe97f4926c9f169493f9ea6f5a5f2b31d7f636cacd

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

314e9bbe1e43938595f774fe97f4926c9f169493f9ea6.exe
Size

3.1MB
MD5

03b55d6ac2f64414dc30dd72b0da1f0f
SHA1

ef558eca01ec67ab75e9f95d8e8bf7a669bc8ae3
SHA256

314e9bbe1e43938595f774fe97f4926c9f169493f9ea6f5a5f2b31d7f636cacd
SHA512

0facab9d27811af1ff6327fdef4444eb93aba175979a0d4788ff3c8709bcb6f9600d6d9b5febc0ee6b079590d30cf72db91b14d513f7996bd37e62285ef7f426
SSDEEP

49152:DvEI22SsaNYfdPBldt698dBcjH5OokzoaM7LoGTUTHHB72eh2NT:Dvp22SsaNYfdPBldt6+dBcjHAnzu

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

193.161.193.99:35024

Mutex

c43ec3d5-ee0a-428c-b759-6a528906b342

Attributes

encryption_key
55EBDCAC6A0AD087E3335B935F8905200B2957F3
install_name
Client.exe
log_directory
Logs
reconnect_delay
100
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4428-1-0x00000000008A0000-0x0000000000BC4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4428	314e9bbe1e43938595f774fe97f4926c9f169493f9ea6.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4428	314e9bbe1e43938595f774fe97f4926c9f169493f9ea6.exe
4428	314e9bbe1e43938595f774fe97f4926c9f169493f9ea6.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4428	314e9bbe1e43938595f774fe97f4926c9f169493f9ea6.exe
4428	314e9bbe1e43938595f774fe97f4926c9f169493f9ea6.exe

C:\Users\Admin\AppData\Local\Temp\314e9bbe1e43938595f774fe97f4926c9f169493f9ea6.exe
"C:\Users\Admin\AppData\Local\Temp\314e9bbe1e43938595f774fe97f4926c9f169493f9ea6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4428-0-0x00007FFF6A613000-0x00007FFF6A615000-memory.dmp

Filesize
8KB

Download
memory/4428-1-0x00000000008A0000-0x0000000000BC4000-memory.dmp

Filesize
3.1MB

Download
memory/4428-2-0x00007FFF6A610000-0x00007FFF6B0D1000-memory.dmp

Filesize
10.8MB

Download
memory/4428-3-0x000000001C2B0000-0x000000001C300000-memory.dmp

Filesize
320KB

Download
memory/4428-4-0x000000001C3C0000-0x000000001C472000-memory.dmp

Filesize
712KB

Download
memory/4428-7-0x000000001C300000-0x000000001C312000-memory.dmp

Filesize
72KB

Download
memory/4428-8-0x000000001C360000-0x000000001C39C000-memory.dmp

Filesize
240KB

Download
memory/4428-9-0x00007FFF6A613000-0x00007FFF6A615000-memory.dmp

Filesize
8KB

Download
memory/4428-10-0x00007FFF6A610000-0x00007FFF6B0D1000-memory.dmp

Filesize
10.8MB

Download