quasar | ea874b80bf2b9b91e40a47b6b0ae70b0fdd4ae16b9f3824d80d90776667c8b2e

Analysis

max time kernel
145s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2025, 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-19_1f82ce5688a1ddd2c78edd1aa1cf45c5_black-basta_cobalt-strike_satacom.exe
Size

3.6MB
MD5

1f82ce5688a1ddd2c78edd1aa1cf45c5
SHA1

e86638d98caa847d0d65871efbbb38661b824c68
SHA256

ea874b80bf2b9b91e40a47b6b0ae70b0fdd4ae16b9f3824d80d90776667c8b2e
SHA512

ec941365a143ac5699e87ec6c5ff9ef366de1ef5f07e2d57394dcefde639fff571605735452363cfb82c8e30537cc1e47e5199f44efb816f3e0c3e14e2a6f2d2
SSDEEP

98304:mKZPuHbAMo2SB+NA69Tu9dQ7L2gNR9qFSTI:mNMoSB+NAOTu9dQP9/9/

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

127.0.0.1:4782

Mutex

f80817f2-eab1-4d18-9eee-2f1cf2a4ab97

Attributes

encryption_key
84895DEABC045196F0C122A7F0DEB1F2D76E0532
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/5840-2-0x000001ECED8F0000-0x000001ECEDC14000-memory.dmp	family_quasar

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5840	2025-04-19_1f82ce5688a1ddd2c78edd1aa1cf45c5_black-basta_cobalt-strike_satacom.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5840	2025-04-19_1f82ce5688a1ddd2c78edd1aa1cf45c5_black-basta_cobalt-strike_satacom.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
5840	2025-04-19_1f82ce5688a1ddd2c78edd1aa1cf45c5_black-basta_cobalt-strike_satacom.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-19_1f82ce5688a1ddd2c78edd1aa1cf45c5_black-basta_cobalt-strike_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-19_1f82ce5688a1ddd2c78edd1aa1cf45c5_black-basta_cobalt-strike_satacom.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5840-0-0x000001ECD3090000-0x000001ECD33B3000-memory.dmp

Filesize
3.1MB

Download
memory/5840-1-0x00007FFC74513000-0x00007FFC74515000-memory.dmp

Filesize
8KB

Download
memory/5840-2-0x000001ECED8F0000-0x000001ECEDC14000-memory.dmp

Filesize
3.1MB

Download
memory/5840-3-0x00007FFC74510000-0x00007FFC74FD2000-memory.dmp

Filesize
10.8MB

Download
memory/5840-4-0x00007FFC74510000-0x00007FFC74FD2000-memory.dmp

Filesize
10.8MB

Download
memory/5840-5-0x00007FFC74510000-0x00007FFC74FD2000-memory.dmp

Filesize
10.8MB

Download
memory/5840-6-0x00007FFC74510000-0x00007FFC74FD2000-memory.dmp

Filesize
10.8MB

Download
memory/5840-8-0x000001ECEEFB0000-0x000001ECEF062000-memory.dmp

Filesize
712KB

Download
memory/5840-7-0x000001ECED550000-0x000001ECED5A0000-memory.dmp

Filesize
320KB

Download
memory/5840-9-0x00007FFC74513000-0x00007FFC74515000-memory.dmp

Filesize
8KB

Download
memory/5840-10-0x00007FFC74510000-0x00007FFC74FD2000-memory.dmp

Filesize
10.8MB

Download