quasar | fd5cb342981e9d61398e07e8ccbb12d758b0faec8515ed99c2fe070090b869e0 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

test.exe

windows7-x64

test.exe

windows10-2004-x64

Sharing

General

Target

test.exe
Size

1.4MB
Sample

250228-fv9hrs1ygx
MD5

b7b90c3d3f12be01a2508b40015cdae3
SHA1

a14a3f57ae4f6d66da36636e41bb95efe4291999
SHA256

fd5cb342981e9d61398e07e8ccbb12d758b0faec8515ed99c2fe070090b869e0
SHA512

0ec46bbce7349bcae6b4068246b6c2a9feb6133697c4d192172878f5f8b5bfcdfbda7e8e06d4d211439e7a1251dd9a0e90d4b7d19ce76e00bb7b6356f16d467d
SSDEEP

12288:qOBn5xPFMHnPHvw+XVTt6uQ4lPPwQ1Mg0xhOyoK5zKpyS1u5XHmIyg:qOfH8QmPwqMgwhfz6imxg

Score

10^/10

quasar xworm office04 rat spyware trojan

Static task

static1

office04 quasar

3 signatures

Behavioral task

behavioral1

Sample

test.exe

Resource

win7-20240903-en

quasar office04 spyware trojan

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

test.exe

Resource

win10v2004-20250217-en

quasar xworm office04 rat spyware trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

advertising-interfaces.gl.at.ply.gg:32479

Mutex

9e444bcd-22a0-41fd-b465-3a16b901895b

Attributes

encryption_key
70773A6AB51CC4D9E9DBC452F577B4BEB037CC32
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
jdk-23_windows-x64
subdirectory
SubDir

Extracted

Family

xworm

C2

operates-vampire.with.playit.plus:4353

Attributes

Install_directory
%LocalAppData%
install_file
XClient2.0.exe

Targets

- Target
  
  test.exe
- Size
  
  1.4MB
- MD5
  
  b7b90c3d3f12be01a2508b40015cdae3
- SHA1
  
  a14a3f57ae4f6d66da36636e41bb95efe4291999
- SHA256
  
  fd5cb342981e9d61398e07e8ccbb12d758b0faec8515ed99c2fe070090b869e0
- SHA512
  
  0ec46bbce7349bcae6b4068246b6c2a9feb6133697c4d192172878f5f8b5bfcdfbda7e8e06d4d211439e7a1251dd9a0e90d4b7d19ce76e00bb7b6356f16d467d
- SSDEEP
  
  12288:qOBn5xPFMHnPHvw+XVTt6uQ4lPPwQ1Mg0xhOyoK5zKpyS1u5XHmIyg:qOfH8QmPwqMgwhfz6imxg
Score

10^/10

quasar office04 spyware trojan xworm rat
- Detect Xworm Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaroffice04spywaretrojan

behavioral2

quasarxwormoffice04ratspywaretrojan

© 2018-2025

Terms | Privacy