quasar | 11c1119ca27a3d70ef72d69c3f1af1ae9540d4b5d2b48d9b3caa554ba6f54cd2 | Triage

Submit
Reports

Overview

overview

Static

static

7

11c1119ca2...d2.exe

windows10-2004-x64

11c1119ca2...d2.exe

windows11-21h2-x64

Sharing

General

Target

11c1119ca27a3d70ef72d69c3f1af1ae9540d4b5d2b48d9b3caa554ba6f54cd2
Size

4.6MB
Sample

250419-mv1zystvgv
MD5

3ed992586de3ed67aad864fe62734937
SHA1

bcf4c8a3cbc671ba7fc6ac38b1581806913883dd
SHA256

11c1119ca27a3d70ef72d69c3f1af1ae9540d4b5d2b48d9b3caa554ba6f54cd2
SHA512

42668112eacf827325c88af0c6ec59c16b918f6f9772ef84e15a5ad8f0b5b6dd9643fe6d2467216c1374725b9c6cb742017ec7cebb6fb2763189d1d697f6ac37
SSDEEP

98304:/gYSDiz3Clzp6QcwQhgBe8MFLgg5A4gmRGo1q0ZT:oHDcSNcwQhgBimwtH

Score

10^/10

quasar office05 defense_evasion discovery spyware themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

11c1119ca27a3d70ef72d69c3f1af1ae9540d4b5d2b48d9b3caa554ba6f54cd2.exe

Resource

win10v2004-20250314-en

quasar office05 defense_evasion discovery spyware themida trojan

windows10-2004-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

11c1119ca27a3d70ef72d69c3f1af1ae9540d4b5d2b48d9b3caa554ba6f54cd2.exe

Resource

win11-20250410-en

quasar office05 defense_evasion discovery spyware themida trojan

windows11-21h2-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office05

C2

192.168.0.101:2025

Mutex

3f648fc9-2a82-4ca1-8687-e39e14478579

Attributes

encryption_key
F3E6B52CEF8F81BA550B56134E7C52D02C97B9AA
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  11c1119ca27a3d70ef72d69c3f1af1ae9540d4b5d2b48d9b3caa554ba6f54cd2
- Size
  
  4.6MB
- MD5
  
  3ed992586de3ed67aad864fe62734937
- SHA1
  
  bcf4c8a3cbc671ba7fc6ac38b1581806913883dd
- SHA256
  
  11c1119ca27a3d70ef72d69c3f1af1ae9540d4b5d2b48d9b3caa554ba6f54cd2
- SHA512
  
  42668112eacf827325c88af0c6ec59c16b918f6f9772ef84e15a5ad8f0b5b6dd9643fe6d2467216c1374725b9c6cb742017ec7cebb6fb2763189d1d697f6ac37
- SSDEEP
  
  98304:/gYSDiz3Clzp6QcwQhgBe8MFLgg5A4gmRGo1q0ZT:oHDcSNcwQhgBimwtH
Score

10^/10

quasar office05 defense_evasion discovery spyware themida trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaroffice05defense_evasiondiscoveryspywarethemidatrojan

behavioral2

quasaroffice05defense_evasiondiscoveryspywarethemidatrojan

© 2018-2025

Terms | Privacy