quasar | 8bdfa3c37749a6ad28e52a1c32d709bcd3f423ffce77f2eb1fbabfad4f1732a1 | Triage

Submit
Reports

Overview

overview

Static

static

3

nykfsekawddd.exe

windows7-x64

nykfsekawddd.exe

windows10-2004-x64

Sharing

General

Target

nykfsekawddd.exe
Size

994KB
Sample

250212-z872msykfr
MD5

fd5f7cb05fed3f0ddf336b4d774233a9
SHA1

38e64f34cd6e401464a9d3433eaba77717544ad4
SHA256

8bdfa3c37749a6ad28e52a1c32d709bcd3f423ffce77f2eb1fbabfad4f1732a1
SHA512

aa660ba760fc12feb886e5b94708e298f7c855e128d4f7c00054f78e014272d69f3c56186bd3a56a4d0d5623bfbe2a1df544941c5a10ca10ea8016e9ff9f6181
SSDEEP

24576:oEPJIUv0nWZZwMAgqYUSE7tohH3iBNs9cc:FP0uAKfE7topcJc

Score

10^/10

quasar office discovery spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

nykfsekawddd.exe

Resource

win7-20240903-en

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

nykfsekawddd.exe

Resource

win10v2004-20250211-en

quasar office discovery spyware trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

85.192.29.60:5850

Mutex

tugm7GpNoIWBENfmpC

Attributes

encryption_key
I54wSzWCzGjFo5K79lKk
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Targets

- Target
  
  nykfsekawddd.exe
- Size
  
  994KB
- MD5
  
  fd5f7cb05fed3f0ddf336b4d774233a9
- SHA1
  
  38e64f34cd6e401464a9d3433eaba77717544ad4
- SHA256
  
  8bdfa3c37749a6ad28e52a1c32d709bcd3f423ffce77f2eb1fbabfad4f1732a1
- SHA512
  
  aa660ba760fc12feb886e5b94708e298f7c855e128d4f7c00054f78e014272d69f3c56186bd3a56a4d0d5623bfbe2a1df544941c5a10ca10ea8016e9ff9f6181
- SSDEEP
  
  24576:oEPJIUv0nWZZwMAgqYUSE7tohH3iBNs9cc:FP0uAKfE7topcJc
Score

10^/10

discovery quasar office spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasarofficediscoveryspywaretrojan

© 2018-2025

Terms | Privacy