crealstealer | ee41b124b3a612f8c9a0a2438c53911a96eda7a95e080229af9d8fb4f8190413

General

Target

setup.exe
Size

41.6MB
Sample

231002-qshblscg39
MD5

367508dc504f59a05096555a60d9359e
SHA1

044a9b8abf7abd7484e18922ac55d3294dc6cc22
SHA256

ee41b124b3a612f8c9a0a2438c53911a96eda7a95e080229af9d8fb4f8190413
SHA512

c027877e94da69d0b951fb685d7b1797d28290c8240b746ae26be4880d82a8f2baa0fa0c39ac87abd7ce5ddf90daff449cf62d79d65259d4019792985ad7b057
SSDEEP

393216:L/jkxiIE7YoPQtsTTp7Lk3meBcGfd0vYM2krlFk1mX1eq44:rjke7rPQts/RLaT5F0vYvXFg

Score

10^/10

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
1

Extracted

Family

quasar

Version

1.4.1

Botnet

user

C2

192.168.0.13:3440

elpepemanca.ddns.net:3440

Mutex

5950a87d-00d0-4fc0-a953-61143318e6d1

Attributes

encryption_key
1A866C514D7B8C5F02AAA72B847C1F305295B74C
install_name
Windows.exe
log_directory
Logs
reconnect_delay
1
startup_key
Discord.exe
subdirectory
System

Targets

- Target
  
  setup.exe
- Size
  
  41.6MB
- MD5
  
  367508dc504f59a05096555a60d9359e
- SHA1
  
  044a9b8abf7abd7484e18922ac55d3294dc6cc22
- SHA256
  
  ee41b124b3a612f8c9a0a2438c53911a96eda7a95e080229af9d8fb4f8190413
- SHA512
  
  c027877e94da69d0b951fb685d7b1797d28290c8240b746ae26be4880d82a8f2baa0fa0c39ac87abd7ce5ddf90daff449cf62d79d65259d4019792985ad7b057
- SSDEEP
  
  393216:L/jkxiIE7YoPQtsTTp7Lk3meBcGfd0vYM2krlFk1mX1eq44:rjke7rPQts/RLaT5F0vYvXFg
Score

10^/10

quasar user bootkit collection discovery evasion exploit persistence pyinstaller ransomware spyware stealer trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Possible privilege escalation attempt
  exploit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1