quasar | 4acea05ab0905a50470e55fcb4575e6feee6e7f5ae857bdd388818cee7a562c6

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51bce03659ae9fd8336540fcecb2bb401b5967b00829fe23554c29dc96ff9462.exe
Size

3.1MB
MD5

df996beac5ac63cb5bccd4aac8ff4213
SHA1

9187a4889e41e805c1a2fc485193c3df52aaebd2
SHA256

51bce03659ae9fd8336540fcecb2bb401b5967b00829fe23554c29dc96ff9462
SHA512

4befae5aa20984b6445b053b8f222da5e4f5cc72af9aa04a0010ef78157905f2d2791d149515fab63a33889dfedad22e7f57b15c9fac0ec5437398be6539dd7d
SSDEEP

49152:SvvI22SsaNYfdPBldt698dBcjHYRxNESEJk/i5LoGdHTHHB72eh2NT:Svg22SsaNYfdPBldt6+dBcjHWx8J

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.68.101:4782

Mutex

fbe2fd24-30b6-43ab-98e0-24e8e427f779

Attributes

encryption_key
3BF4A75B9DFA3D9887A60E8B0225F10311842D24
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral16/memory/116-1-0x0000000000B20000-0x0000000000E44000-memory.dmp	family_quasar
behavioral16/files/0x00080000000241d2-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
664	Client.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	51bce03659ae9fd8336540fcecb2bb401b5967b00829fe23554c29dc96ff9462.exe
Token: SeDebugPrivilege	664	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
664	Client.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 664	116	51bce03659ae9fd8336540fcecb2bb401b5967b00829fe23554c29dc96ff9462.exe	88
PID 116 wrote to memory of 664	116	51bce03659ae9fd8336540fcecb2bb401b5967b00829fe23554c29dc96ff9462.exe	88

C:\Users\Admin\AppData\Local\Temp\51bce03659ae9fd8336540fcecb2bb401b5967b00829fe23554c29dc96ff9462.exe
"C:\Users\Admin\AppData\Local\Temp\51bce03659ae9fd8336540fcecb2bb401b5967b00829fe23554c29dc96ff9462.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
df996beac5ac63cb5bccd4aac8ff4213

SHA1
9187a4889e41e805c1a2fc485193c3df52aaebd2

SHA256
51bce03659ae9fd8336540fcecb2bb401b5967b00829fe23554c29dc96ff9462

SHA512
4befae5aa20984b6445b053b8f222da5e4f5cc72af9aa04a0010ef78157905f2d2791d149515fab63a33889dfedad22e7f57b15c9fac0ec5437398be6539dd7d

Download Submit
memory/116-0-0x00007FF85A973000-0x00007FF85A975000-memory.dmp

Filesize
8KB

Download
memory/116-1-0x0000000000B20000-0x0000000000E44000-memory.dmp

Filesize
3.1MB

Download
memory/116-2-0x00007FF85A970000-0x00007FF85B431000-memory.dmp

Filesize
10.8MB

Download
memory/116-9-0x00007FF85A970000-0x00007FF85B431000-memory.dmp

Filesize
10.8MB

Download
memory/664-8-0x00007FF85A970000-0x00007FF85B431000-memory.dmp

Filesize
10.8MB

Download
memory/664-10-0x00007FF85A970000-0x00007FF85B431000-memory.dmp

Filesize
10.8MB

Download
memory/664-11-0x00000000027C0000-0x0000000002810000-memory.dmp

Filesize
320KB

Download
memory/664-12-0x000000001B600000-0x000000001B6B2000-memory.dmp

Filesize
712KB

Download
memory/664-13-0x00007FF85A970000-0x00007FF85B431000-memory.dmp

Filesize
10.8MB

Download