General
-
Target
99a2af2b1d39d3ca267095cc733dd5e285b40b9c6b1709d34dbb213387c8df93.zip
-
Size
39KB
-
Sample
230321-qnrz9aad69
-
MD5
0ed91969de854f71d6d2752bac851a08
-
SHA1
e5c0a7478f3f2184e9e5dcc179264ac6c9acb962
-
SHA256
844b8fb8321d71afa34e37980c113ba01b2f5afe86b751e17f7f1f06fd0fa8ad
-
SHA512
89ce0dec98e8934f2a2e7623016499ac43ac658fa021dc6477848da28a1e23f49c1f24c9737acc3936157b11e94e66a9a31fbd3df284aecf15f8e8c46f2fd878
-
SSDEEP
768:6UN7XgStxWQgOJA3YeGNb7C9ybqHwJGwNTHAl3J3lp2:37v3vA3YeuCQJGw45O
Malware Config
Extracted
quasar
1.3.0.0
SUCCESS
41.185.97.216:4782
MUTEX_QAxMFzrXWG2cbIHPGK
-
encryption_key
4DwUV8AnxPgmXSMeThKb
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
cmd
-
subdirectory
SubDir
Targets
-
-
Target
99a2af2b1d39d3ca267095cc733dd5e285b40b9c6b1709d34dbb213387c8df93.xlsm
-
Size
42KB
-
MD5
edef1e97fcca56228c1956db6b514f55
-
SHA1
00d1bb1cf96aee9a21508b23f6ac113153131b1c
-
SHA256
99a2af2b1d39d3ca267095cc733dd5e285b40b9c6b1709d34dbb213387c8df93
-
SHA512
ba718485a68b2a9f5c134e186309dae1d169c22fcc15a4d028121df564fd64a9805e3d31a7edf82279b371c883721dc4d8accc2a3fe02ab3b841cd184b7aa236
-
SSDEEP
768:WrvDK4vwssnjS7zWl2BIJYfTH+niSpwvDHvDv+nWfFFiKk/f1qtfHF7RT+nsFf:ivXvwTjSul2G1BoTvDv+0FFi3/dqJl7Z
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-