Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
vcac.exe
-
Size
24.2MB
-
Sample
231011-f1gpyadf85
-
MD5
60db2af267aaa16ab82007ce5dc80685
-
SHA1
2c9ea81aac005653e0f49deaf7635d69300ef644
-
SHA256
e4b0092942132b80858e5364222a3da3303456764192aeb3717311b54610b7fd
-
SHA512
3b127f1f0cc3381a61344cc319e2d99af1a906717c485972df881096a36b7c567c26d71b65424d34e4ca84624ee8924de6bf376edb47c819cadf2d6b93a9d101
-
SSDEEP
98304:qKBbBWIgWljGxRB/LL6vc22SsaNYfdPBldt6+dBcjHVCU688cIyGOk3ta:P4xRBjgB7j4U6gl
Malware Config
Extracted
quasar
-
reconnect_delay
1
Targets
-
-
Target
vcac.exe
-
Size
24.2MB
-
MD5
60db2af267aaa16ab82007ce5dc80685
-
SHA1
2c9ea81aac005653e0f49deaf7635d69300ef644
-
SHA256
e4b0092942132b80858e5364222a3da3303456764192aeb3717311b54610b7fd
-
SHA512
3b127f1f0cc3381a61344cc319e2d99af1a906717c485972df881096a36b7c567c26d71b65424d34e4ca84624ee8924de6bf376edb47c819cadf2d6b93a9d101
-
SSDEEP
98304:qKBbBWIgWljGxRB/LL6vc22SsaNYfdPBldt6+dBcjHVCU688cIyGOk3ta:P4xRBjgB7j4U6gl
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Possible privilege escalation attempt
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1