General
-
Target
105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
-
Size
2.3MB
-
Sample
230206-y7txysba5y
-
MD5
b162ab57ef8877c9ab873932e3025039
-
SHA1
f7f290cf666bc4e8877a5ef09b8ed1ab8291638f
-
SHA256
105b3e33e393c9d0ccdaae95ffcbb9eff9a946f79683ca932a11d0fc674c64e2
-
SHA512
13927b2df2e9aeaf601def099b7f006383937f2984344571150a45aad034a85cd13832874c8382a76a8725600cb8439820fb8d691af90f7bf8ce859b8fe1e51d
-
SSDEEP
24576:EMRpqU3LsGw9tDW06PHAHHeO4ElrkWUZlDd09H7YgngNXN4dXh5nfr2Sd5+ZiTt+:lu95k+X/nT2SdQat/cM7Zcm2
Malware Config
Extracted
quasar
1.4.0
Pure____1
sabifati.linkpc.net:4784
deli.mywire.org:4784
3a359e52-00bd-4e3d-8201-985b53b0c176
-
encryption_key
78BC50021362B61652204981B13FE17E053A03F1
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
-
Size
2.3MB
-
MD5
b162ab57ef8877c9ab873932e3025039
-
SHA1
f7f290cf666bc4e8877a5ef09b8ed1ab8291638f
-
SHA256
105b3e33e393c9d0ccdaae95ffcbb9eff9a946f79683ca932a11d0fc674c64e2
-
SHA512
13927b2df2e9aeaf601def099b7f006383937f2984344571150a45aad034a85cd13832874c8382a76a8725600cb8439820fb8d691af90f7bf8ce859b8fe1e51d
-
SSDEEP
24576:EMRpqU3LsGw9tDW06PHAHHeO4ElrkWUZlDd09H7YgngNXN4dXh5nfr2Sd5+ZiTt+:lu95k+X/nT2SdQat/cM7Zcm2
Score10/10-
Modifies WinLogon for persistence
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Nirsoft
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-