quasar | eab5f974ec202f9576335f50646b1a7e6725557b1227b8f96ecc889c15498905 | Triage

Submit
Reports

Overview

overview

Static

static

CHEAT.rar

windows7-x64

CHEAT.rar

windows10-2004-x64

3

Sharing

General

Target

CHEAT.rar
Size

36.3MB
Sample

250209-dvjagavphn
MD5

203ba38accab7ff9b181c88176d7e17f
SHA1

33bd9fc89e77faed86bda399d018f9413f6eba73
SHA256

eab5f974ec202f9576335f50646b1a7e6725557b1227b8f96ecc889c15498905
SHA512

2cc04354147ef18f22c753303f4417744d349d41a1eb6ea28ef8ffad3831aa3e6317b698c24b3c1dc0ef60ed4e38564d21be4afc9a485ea22ec75dbe739f76a7
SSDEEP

786432:cQ1zPwv64YV/iSmT3kJtj88ZEP87mD+cmodF2fppwcPX/fzi82lb7O:hLB4YMhT0JtiKmiodiHvPWJlb7O

Score

10^/10

quasar office04 defense_evasion discovery execution persistence spyware themida trojan

Static task

static1

office04 themida quasar

4 signatures

Behavioral task

behavioral1

Sample

CHEAT.rar

Resource

win7-20241010-en

quasar office04 defense_evasion execution persistence spyware themida trojan

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

CHEAT.rar

Resource

win10v2004-20250207-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

10.0.1.100:4782

Mutex

ed337c2a-f410-44a6-a75b-740207b7d8db

Attributes

encryption_key
6D00964D3D31D45131A3ECADA49AED6AAB6AAED0
install_name
CHEAT.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  CHEAT.rar
- Size
  
  36.3MB
- MD5
  
  203ba38accab7ff9b181c88176d7e17f
- SHA1
  
  33bd9fc89e77faed86bda399d018f9413f6eba73
- SHA256
  
  eab5f974ec202f9576335f50646b1a7e6725557b1227b8f96ecc889c15498905
- SHA512
  
  2cc04354147ef18f22c753303f4417744d349d41a1eb6ea28ef8ffad3831aa3e6317b698c24b3c1dc0ef60ed4e38564d21be4afc9a485ea22ec75dbe739f76a7
- SSDEEP
  
  786432:cQ1zPwv64YV/iSmT3kJtj88ZEP87mD+cmodF2fppwcPX/fzi82lb7O:hLB4YMhT0JtiKmiodiHvPWJlb7O
Score

10^/10

quasar office04 defense_evasion execution persistence spyware themida trojan discovery
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Creates new service(s)
  persistence execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

office04themidaquasar

behavioral1

quasaroffice04defense_evasionexecutionpersistencespywarethemidatrojan

behavioral2

© 2018-2025

Terms | Privacy