General
-
Target
Uni.bat
-
Size
512KB
-
Sample
240511-nwv1rsee9z
-
MD5
d188d8d8e859b13330551005efc1f6cb
-
SHA1
6e3e2c19174c7cd0e9a2c248c700cd25a7ee17da
-
SHA256
7de9346c81bcb5b91230450e2092f27851f5cffb1837058e611ac103974f680a
-
SHA512
1847acf391c3d7a21962ae19908af637f239edaab741d2c7dc9e876b04dea6f54b7d9d42ebf3634fff9283692b7ecb566e067368a77e618bb8b5ef402e33e59f
-
SSDEEP
12288:i7ET3QCkmortzhYOPdMa0cqLepCUBD5LSWjU2d:GY3QCk7hXdMaELkVjU2d
Malware Config
Extracted
quasar
3.1.5
SeroXen
tue-jake.gl.at.ply.gg:29058
$Sxr-xPAuDxLNyBmZ7S2WLJ
-
encryption_key
Pw78RUs175dFrKD7lMwH
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SeroXen
-
subdirectory
SubDir
Targets
-
-
Target
Uni.bat
-
Size
512KB
-
MD5
d188d8d8e859b13330551005efc1f6cb
-
SHA1
6e3e2c19174c7cd0e9a2c248c700cd25a7ee17da
-
SHA256
7de9346c81bcb5b91230450e2092f27851f5cffb1837058e611ac103974f680a
-
SHA512
1847acf391c3d7a21962ae19908af637f239edaab741d2c7dc9e876b04dea6f54b7d9d42ebf3634fff9283692b7ecb566e067368a77e618bb8b5ef402e33e59f
-
SSDEEP
12288:i7ET3QCkmortzhYOPdMa0cqLepCUBD5LSWjU2d:GY3QCk7hXdMaELkVjU2d
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-