General
-
Target
869037e716218fb7551d84b8ce7d0ae7.bin
-
Size
709KB
-
Sample
230207-japveadc5v
-
MD5
36501e3878f35c2ec7cc76b113632b22
-
SHA1
db1b23e5f84f195ddd468dc3b77d3902a902cc1b
-
SHA256
d2ea05b0fa56e153cdbf014f6083cd6826bf52894ea38a664b1ed3669d6ec1d5
-
SHA512
ee42a0beecb73f32c8ed95e1eea8baacfd9219bb3eb4330d5368c37ad4c43b97ea537109fd8e5885cca93ebaa8a77d8d940717f63d2b8a7a5573687d096af6e4
-
SSDEEP
12288:m6MaHYVYXv+OlQL+SmCp449WyykFJQz0UNCk5OVKcc7MIxTA9bIX5GVKmWcP/:62qLK4gXkozJKE7DEbIXIVBx
Malware Config
Extracted
quasar
1.4.0.0
Office04
youhackernetpaingodxd.duckdns.org:5557
blablashitspreading.ddns.net:5557
xEoEv3HHdyEIYwJRFM
-
encryption_key
w3WfcmWh1iXT9cxeKFEX
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
305cfdd7d464938cabe66fcf3116df431c10742c775a4a588d38349ea18a7fb6.exe
-
Size
763KB
-
MD5
869037e716218fb7551d84b8ce7d0ae7
-
SHA1
12cb776519eeb2d5e6a7ab1ddce3a09f143d5f18
-
SHA256
305cfdd7d464938cabe66fcf3116df431c10742c775a4a588d38349ea18a7fb6
-
SHA512
6840e10d1daeacd169dba4a0049bc3b9087726dd45551b9a9587d57ec45d926356ce1656a39fdf35c1acb4020c564ec1f6a910fd83cde99e3ff75195728c72d2
-
SSDEEP
12288:SAZdPU5ttcsREhy5IYU8OaNISOvsk0gnT467zpmw7OfimWm/YfdFxfJ:S2UVc+EhyuAOaNIBXnT46fpmiOfimWy4
Score10/10-
Detect PureCrypter injector
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-