Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    vcac.exe

  • Size

    24.2MB

  • Sample

    231011-f1gpyadf85

  • MD5

    60db2af267aaa16ab82007ce5dc80685

  • SHA1

    2c9ea81aac005653e0f49deaf7635d69300ef644

  • SHA256

    e4b0092942132b80858e5364222a3da3303456764192aeb3717311b54610b7fd

  • SHA512

    3b127f1f0cc3381a61344cc319e2d99af1a906717c485972df881096a36b7c567c26d71b65424d34e4ca84624ee8924de6bf376edb47c819cadf2d6b93a9d101

  • SSDEEP

    98304:qKBbBWIgWljGxRB/LL6vc22SsaNYfdPBldt6+dBcjHVCU688cIyGOk3ta:P4xRBjgB7j4U6gl

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    1

Targets

    • Target

      vcac.exe

    • Size

      24.2MB

    • MD5

      60db2af267aaa16ab82007ce5dc80685

    • SHA1

      2c9ea81aac005653e0f49deaf7635d69300ef644

    • SHA256

      e4b0092942132b80858e5364222a3da3303456764192aeb3717311b54610b7fd

    • SHA512

      3b127f1f0cc3381a61344cc319e2d99af1a906717c485972df881096a36b7c567c26d71b65424d34e4ca84624ee8924de6bf376edb47c819cadf2d6b93a9d101

    • SSDEEP

      98304:qKBbBWIgWljGxRB/LL6vc22SsaNYfdPBldt6+dBcjHVCU688cIyGOk3ta:P4xRBjgB7j4U6gl

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Possible privilege escalation attempt

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks