quasar | 7dcda14173a0d102d6a02d290cbba10bd8a70e689375700bf0f322ea500c11c2

Analysis

max time kernel
890s
max time network
898s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-02-2025 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BypasserRunFirst.exe
Size

3.1MB
MD5

2c39f6ceea730bcfd551fb106fddf974
SHA1

5fbb018bd30429085f0309503901e04625a8847b
SHA256

7dcda14173a0d102d6a02d290cbba10bd8a70e689375700bf0f322ea500c11c2
SHA512

5a24f72f34170f3396524d062c4ae63c4f8ca6766783aeb730c063a8e8dff36a95f2054d45a3c9e0b5292818f70dc9bd7e2c65bb2f573537241d4f8c438fbbad
SSDEEP

49152:SvLlL26AaNeWgPhlmVqvMQ7XSKuiSg1J/VoGd0hTHHB72eh2NT:SvxL26AaNeWgPhlmVqkQ7XSKuiSO

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.3.210:4782

Mutex

66e2d8be-f2d1-430b-a858-bea567f34e0d

Attributes

encryption_key
6DDF2A1446CC876583B8AB188D7732CB160FAE85
install_name
TemperSpoferByCapyLovers.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/3032-1-0x00000000012B0000-0x00000000015D4000-memory.dmp	family_quasar
behavioral1/files/0x001500000001756e-5.dat	family_quasar
behavioral1/memory/2780-8-0x00000000001A0000-0x00000000004C4000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2780	TemperSpoferByCapyLovers.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	BypasserRunFirst.exe
Token: SeDebugPrivilege	2780	TemperSpoferByCapyLovers.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2780	TemperSpoferByCapyLovers.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2780	3032	BypasserRunFirst.exe	30
PID 3032 wrote to memory of 2780	3032	BypasserRunFirst.exe	30
PID 3032 wrote to memory of 2780	3032	BypasserRunFirst.exe	30

C:\Users\Admin\AppData\Local\Temp\BypasserRunFirst.exe
"C:\Users\Admin\AppData\Local\Temp\BypasserRunFirst.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Roaming\SubDir\TemperSpoferByCapyLovers.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\TemperSpoferByCapyLovers.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\TemperSpoferByCapyLovers.exe

Filesize
3.1MB

MD5
2c39f6ceea730bcfd551fb106fddf974

SHA1
5fbb018bd30429085f0309503901e04625a8847b

SHA256
7dcda14173a0d102d6a02d290cbba10bd8a70e689375700bf0f322ea500c11c2

SHA512
5a24f72f34170f3396524d062c4ae63c4f8ca6766783aeb730c063a8e8dff36a95f2054d45a3c9e0b5292818f70dc9bd7e2c65bb2f573537241d4f8c438fbbad

Download Submit
memory/2780-7-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp

Filesize
9.9MB

Download
memory/2780-8-0x00000000001A0000-0x00000000004C4000-memory.dmp

Filesize
3.1MB

Download
memory/2780-10-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp

Filesize
9.9MB

Download
memory/2780-11-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-0-0x000007FEF6BB3000-0x000007FEF6BB4000-memory.dmp

Filesize
4KB

Download
memory/3032-1-0x00000000012B0000-0x00000000015D4000-memory.dmp

Filesize
3.1MB

Download
memory/3032-2-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-9-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp

Filesize
9.9MB

Download