General
-
Target
HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
-
Size
16.5MB
-
Sample
230212-aav7raee2t
-
MD5
b9874cdde692f485a1c609aeafd075c3
-
SHA1
8806ac9b20eaa78f89b5dfd1b78a3c7fb5cbffce
-
SHA256
66fdb47c24f569d7fae5707024809698812a40458216414827d3ea57cfb19dbb
-
SHA512
955e5e731e2d3fe9299fb90995fba95409d5b6086306960defbdc17f855175c63ccdb713f16b3e6ac3ee007f2317461d2e8693afefc56e7de494d879a3fd0aee
-
SSDEEP
98304:AQC5lSLCSHP8Z2HOR0mW1LCjqOMKmxE6G:LC5R0mh
Malware Config
Extracted
quasar
1.3.0.0
ET
orcus.dyndns.org:1605
lsdw.dyndns.org:1606
labeokunta.dynnds.org:1606
xpert.dyndns.biz:1605
qz.dyndns.org:1605
imageline.dyndns.org:1606
kontakt-update.selfip.net:1606
QSR_MUTEX_X8N0tEAk1p1Gbe9ioj
-
encryption_key
jVpAHlJqCIQYSDZsOYMx
-
install_name
Client.exe
-
log_directory
db.xlm
-
reconnect_delay
30000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
bitrat
1.38
hiv.dyndns.org:2222
-
communication_password
194dd40edef1873b88c241057bb55f1b
-
tor_process
tor
Targets
-
-
Target
HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
-
Size
16.5MB
-
MD5
b9874cdde692f485a1c609aeafd075c3
-
SHA1
8806ac9b20eaa78f89b5dfd1b78a3c7fb5cbffce
-
SHA256
66fdb47c24f569d7fae5707024809698812a40458216414827d3ea57cfb19dbb
-
SHA512
955e5e731e2d3fe9299fb90995fba95409d5b6086306960defbdc17f855175c63ccdb713f16b3e6ac3ee007f2317461d2e8693afefc56e7de494d879a3fd0aee
-
SSDEEP
98304:AQC5lSLCSHP8Z2HOR0mW1LCjqOMKmxE6G:LC5R0mh
Score10/10-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
HiveRAT payload
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-