quasar | adb07f246886c9b3923cb565463a66cc3e69f16982dd513669d09b5285ac5cfa | Triage

Submit
Reports

Overview

overview

Static

static

3

VerifiedAs...ed.exe

windows7-x64

VerifiedAs...ed.exe

windows10-2004-x64

Sharing

General

Target

VerifiedAssetLinked.exe
Size

3.2MB
Sample

250326-wa9k2azvdw
MD5

e8ecf83250f2badd7aa0c240fdc7be04
SHA1

23081fbff25cb90abfaa3f6c80d3ae79dbaf6fdb
SHA256

adb07f246886c9b3923cb565463a66cc3e69f16982dd513669d09b5285ac5cfa
SHA512

aeebeb2f787303a8ea5594fd94e7c8002b8dd9eb6dd01bea001a6540c96954359d8fc2e4a596108256d197ef06bebca367900e388882e17ab134c2e8ec595140
SSDEEP

49152:uXMWUmXsmnc6gB5LCeVYc5qwKQaUW6KfR3kVmqEze6ylTfKb8ExP0abZAGU3uXfp:kzTc6gBFi6aL7i1serlrK10EpU3uW

Score

10^/10

quasar xworm office04 defense_evasion discovery rat spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

VerifiedAssetLinked.exe

Resource

win7-20240903-en

quasar xworm office04 defense_evasion discovery rat spyware trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

VerifiedAssetLinked.exe

Resource

win10v2004-20250314-en

quasar xworm office04 defense_evasion discovery rat spyware trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

84.67.89.127:4782

Mutex

40b84850-9991-4b2c-a985-76db9b77d6fe

Attributes

encryption_key
24D2D4587F63E088D81748782350D3C2EF08E8BC
install_name
SystemRuntimes.exe
log_directory
Logs
reconnect_delay
3000
startup_key
DisplayRuntimes
subdirectory
SubDir

Extracted

Family

xworm

Version

5.0

C2

84.67.89.127:7000

Mutex

i0Qt3kYCfooW9ohR

Attributes

Install_directory
%AppData%
install_file
System.exe

aes.plain

Targets

- Target
  
  VerifiedAssetLinked.exe
- Size
  
  3.2MB
- MD5
  
  e8ecf83250f2badd7aa0c240fdc7be04
- SHA1
  
  23081fbff25cb90abfaa3f6c80d3ae79dbaf6fdb
- SHA256
  
  adb07f246886c9b3923cb565463a66cc3e69f16982dd513669d09b5285ac5cfa
- SHA512
  
  aeebeb2f787303a8ea5594fd94e7c8002b8dd9eb6dd01bea001a6540c96954359d8fc2e4a596108256d197ef06bebca367900e388882e17ab134c2e8ec595140
- SSDEEP
  
  49152:uXMWUmXsmnc6gB5LCeVYc5qwKQaUW6KfR3kVmqEze6ylTfKb8ExP0abZAGU3uXfp:kzTc6gBFi6aL7i1serlrK10EpU3uW
Score

10^/10

quasar xworm office04 defense_evasion discovery rat spyware trojan
- Detect Xworm Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarxwormoffice04defense_evasiondiscoveryratspywaretrojan

behavioral2

quasarxwormoffice04defense_evasiondiscoveryratspywaretrojan

© 2018-2025

Terms | Privacy