General
-
Target
DonioExternalBetaTesting.exe
-
Size
21.6MB
-
Sample
240512-rcz26acf99
-
MD5
8b83b1b0b50756804e0f08c9f3b1b8f7
-
SHA1
85c32f26ae0e3f04b27bd6718919703aea5543ff
-
SHA256
1abbb40a23b96d43508ea9414e619e4affc2c2754e8867ce1d7778102639fdc0
-
SHA512
fac6eb15c691367ef0d67bdd12bc56874c62a87ffdc7b4f6811cb278e432180e4900d6965cb349f1edf3b29f8415506f2c4bf5cd580a309641b525bddcd0ebd9
-
SSDEEP
393216:b6OqvaxDwIev2jgHvRaWP3xql2s0fdmMsx/pPeBAyYWzUrzShjiIPmF9PDpm:pJUUgPRaGUgfYMuRARzUHiji39PDpm
Malware Config
Extracted
quasar
1.4.1
Office04
73.102.120.5:4782
45cfb540-284b-48a7-9d2a-e359fc523739
-
encryption_key
70C79CE5F0635CE0445F6E268995D45A5188DFB3
-
install_name
DonioExternalBeta.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsUpdate
-
subdirectory
WhitelistBeta
Targets
-
-
Target
DonioExternalBetaTesting.exe
-
Size
21.6MB
-
MD5
8b83b1b0b50756804e0f08c9f3b1b8f7
-
SHA1
85c32f26ae0e3f04b27bd6718919703aea5543ff
-
SHA256
1abbb40a23b96d43508ea9414e619e4affc2c2754e8867ce1d7778102639fdc0
-
SHA512
fac6eb15c691367ef0d67bdd12bc56874c62a87ffdc7b4f6811cb278e432180e4900d6965cb349f1edf3b29f8415506f2c4bf5cd580a309641b525bddcd0ebd9
-
SSDEEP
393216:b6OqvaxDwIev2jgHvRaWP3xql2s0fdmMsx/pPeBAyYWzUrzShjiIPmF9PDpm:pJUUgPRaGUgfYMuRARzUHiji39PDpm
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-