quasar | 772d48ac3ed6e1bd6094d3a31678caa0f3de77f2fb64ac4f52659683c6c6dddc

General

Target

2025-04-19_05ddb104906f6ea114b687fffece5b95_black-basta_cobalt-strike_satacom.exe
Size

1.7MB
MD5

05ddb104906f6ea114b687fffece5b95
SHA1

250f2dd9f6a3b5660c1cd72fc3747f238b2f8625
SHA256

772d48ac3ed6e1bd6094d3a31678caa0f3de77f2fb64ac4f52659683c6c6dddc
SHA512

3e3014ef6c9da9f0fcb4b3014a76d70fe7272bf0a1633557f84367ceb745eefe7936e02d15c8f170dab3b9efd032eaa05d3fb31da0302d2b0f40cc974411f611
SSDEEP

49152:lQfiZ7qCLpHLuxk7XKL7lMQ3uIf4g0eGh3i:lT3qqjKL7ln3uIf4gqc

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.110.238:4782

Mutex

fe3c09da-272f-47ae-bbc2-f769a61800a8

Attributes

encryption_key
D8E1C53E54B16A3F7E334DC084C4452B36785B7D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001b00000002b0f1-6.dat	family_quasar
behavioral2/memory/2724-15-0x0000000000F80000-0x00000000012A4000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
2724	Client-built.exe
4304	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4444	schtasks.exe
4748	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	Client-built.exe
Token: SeDebugPrivilege	4304	Client.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4304	Client.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4304	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4304	Client.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2724	2248	2025-04-19_05ddb104906f6ea114b687fffece5b95_black-basta_cobalt-strike_satacom.exe	78
PID 2248 wrote to memory of 2724	2248	2025-04-19_05ddb104906f6ea114b687fffece5b95_black-basta_cobalt-strike_satacom.exe	78
PID 2724 wrote to memory of 4444	2724	Client-built.exe	81
PID 2724 wrote to memory of 4444	2724	Client-built.exe	81
PID 2724 wrote to memory of 4304	2724	Client-built.exe	83
PID 2724 wrote to memory of 4304	2724	Client-built.exe	83
PID 4304 wrote to memory of 4748	4304	Client.exe	84
PID 4304 wrote to memory of 4748	4304	Client.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-04-19_05ddb104906f6ea114b687fffece5b95_black-basta_cobalt-strike_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-19_05ddb104906f6ea114b687fffece5b95_black-basta_cobalt-strike_satacom.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4444
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4748

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
3.1MB

MD5
530ee8e1e0deff8aeed6b475527ca884

SHA1
48a692c18e06b9c5dd195486a8524b428cfd8053

SHA256
b112e77255e16e32e6de1d38badc469d778d843cc4b51f626a6c6b56e0d36a27

SHA512
0956be94b19a74e1f37455f85c801b07ad6010da1298656c57307a67cf9333e153a8d0b5d5f311189e5a33363c73ec4d2ff96a665dbcaf950171aded47c5aaeb

Download Submit
memory/2724-14-0x00007FFF89153000-0x00007FFF89155000-memory.dmp

Filesize
8KB

Download
memory/2724-15-0x0000000000F80000-0x00000000012A4000-memory.dmp

Filesize
3.1MB

Download
memory/2724-16-0x00007FFF89150000-0x00007FFF89C12000-memory.dmp

Filesize
10.8MB

Download
memory/2724-23-0x00007FFF89150000-0x00007FFF89C12000-memory.dmp

Filesize
10.8MB

Download
memory/4304-24-0x000000001C270000-0x000000001C2C0000-memory.dmp

Filesize
320KB

Download
memory/4304-25-0x000000001C380000-0x000000001C432000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads