General
-
Target
Booking0217pdf.exe
-
Size
62KB
-
Sample
230801-lg2hwseh69
-
MD5
073a7d0ba4619b63b59e3f3c055a52e5
-
SHA1
e7e91c2f94f946627bfd4cae19a263e7d99861cc
-
SHA256
cd1a3a3951014346894a253fa1a9dc05b221640be311dc679a83b4f91b1449f0
-
SHA512
d1e359651d072d18c645b05e016c8407e2f9ca17693cfbd73a04bf7c163865df640ec7cb81ebfc79522cf2e84b22f3e5cb73be088ee4b200c3a5fe4185de3ebb
-
SSDEEP
768:4e9QoE/ASU2kRpqoOkAdsA9kWFXXtwboYzAF+IFqoZlO1iG8IYiV/eXlPxWEaB:4eid5kRpqIsdFn0Hz2qoFI7VeVPxu
Malware Config
Extracted
quasar
1.3.0.0
16th JULY
198.98.54.161:6666
QSR_MUTEX_Pl8uFsFQG2ggU9gBx9
-
encryption_key
3XivPs8YQVpfxU1EhGZE
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
notes
-
subdirectory
SubDir
Targets
-
-
Target
Booking0217pdf.exe
-
Size
62KB
-
MD5
073a7d0ba4619b63b59e3f3c055a52e5
-
SHA1
e7e91c2f94f946627bfd4cae19a263e7d99861cc
-
SHA256
cd1a3a3951014346894a253fa1a9dc05b221640be311dc679a83b4f91b1449f0
-
SHA512
d1e359651d072d18c645b05e016c8407e2f9ca17693cfbd73a04bf7c163865df640ec7cb81ebfc79522cf2e84b22f3e5cb73be088ee4b200c3a5fe4185de3ebb
-
SSDEEP
768:4e9QoE/ASU2kRpqoOkAdsA9kWFXXtwboYzAF+IFqoZlO1iG8IYiV/eXlPxWEaB:4eid5kRpqIsdFn0Hz2qoFI7VeVPxu
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-