Extracted

Extracted

• • Target

    vcac.exe

  • Size

    24.2MB

  • MD5

    0bb88f910f99843a0416c3c651436938

  • SHA1

    38dc0516f6714e1036ffe1fb373335235f02d2d9

  • SHA256

    24ccbebd6c91381401c686aa354355da63a75e81f170ca7abd207c7f017d5da4

  • SHA512

    2dc27e9d692ce2f60ea41f68d924cd6f7974d8316dc61749c048a12e19ada5241626c8f3fbcf8a9b826066d66a8465138e74d078dceda587a8c130cf8b2203a1

  • SSDEEP

    98304:MKBbBWIgWljGxRB/LLqvc22SsaNYfdPBldt6+dBcjHVCU688cIyGOk3ta:94xRBj4B7j4U6gl

  Score

  10^/10

  quasaruserbootkitcollectiondiscoveryevasionexploitpersistencepyinstallerransomwarespywaretrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar payload

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Disables Task Manager via registry modification

    evasion

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Possible privilege escalation attempt

    exploit

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1