quasar | ca836ea84ec237db743f78ddeef8884260cb873dc0f41d82dd03e3b3e8c154e2

Analysis

max time kernel
147s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2025, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-19_bb2609006530c823044bfa8c88a36899_black-basta_cobalt-strike_satacom.exe
Size

3.6MB
MD5

bb2609006530c823044bfa8c88a36899
SHA1

a3ee585e44fa7beeaf2720092088abdb31a8ba14
SHA256

ca836ea84ec237db743f78ddeef8884260cb873dc0f41d82dd03e3b3e8c154e2
SHA512

2fa44b55541426a636d20354999b9f8ba6e41851dd2018df2e2361e19173bf7bd28ea617e79ba80c8075f9e3da771cc5a383b2e9a16fc300447e546fc4da1a68
SSDEEP

98304:ZKYPuHbAMo2SB+NA69Tu9dQ7L2gNR9qFSTI:ZuMoSB+NAOTu9dQP9/9/

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

127.0.0.1:4782

Mutex

f80817f2-eab1-4d18-9eee-2f1cf2a4ab97

Attributes

encryption_key
84895DEABC045196F0C122A7F0DEB1F2D76E0532
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/4084-2-0x0000027D59830000-0x0000027D59B54000-memory.dmp	family_quasar

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4084	2025-04-19_bb2609006530c823044bfa8c88a36899_black-basta_cobalt-strike_satacom.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4084	2025-04-19_bb2609006530c823044bfa8c88a36899_black-basta_cobalt-strike_satacom.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4084	2025-04-19_bb2609006530c823044bfa8c88a36899_black-basta_cobalt-strike_satacom.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-19_bb2609006530c823044bfa8c88a36899_black-basta_cobalt-strike_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-19_bb2609006530c823044bfa8c88a36899_black-basta_cobalt-strike_satacom.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4084-0-0x0000027D3EE20000-0x0000027D3F143000-memory.dmp

Filesize
3.1MB

Download
memory/4084-1-0x00007FFFBE4E3000-0x00007FFFBE4E5000-memory.dmp

Filesize
8KB

Download
memory/4084-2-0x0000027D59830000-0x0000027D59B54000-memory.dmp

Filesize
3.1MB

Download
memory/4084-3-0x00007FFFBE4E0000-0x00007FFFBEFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-4-0x00007FFFBE4E0000-0x00007FFFBEFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-5-0x00007FFFBE4E0000-0x00007FFFBEFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-6-0x00007FFFBE4E0000-0x00007FFFBEFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-7-0x0000027D59550000-0x0000027D595A0000-memory.dmp

Filesize
320KB

Download
memory/4084-8-0x0000027D596D0000-0x0000027D59782000-memory.dmp

Filesize
712KB

Download
memory/4084-9-0x00007FFFBE4E3000-0x00007FFFBE4E5000-memory.dmp

Filesize
8KB

Download
memory/4084-10-0x00007FFFBE4E0000-0x00007FFFBEFA1000-memory.dmp

Filesize
10.8MB

Download