Extracted

Extracted

• • Target

    2f3b5b60129dc43350bc54e67d59a4ac.bin

  • Size

    9.2MB

  • MD5

    49d267c77ead1c3fa6771fbc66a8b6af

  • SHA1

    3d0cc3050c586be7fb30dc34b79578f139bf8f53

  • SHA256

    a968f7738c801b8528bb717d3928ee75523833a882bdbc4b03bdc6e8ad4cb41a

  • SHA512

    8e2f9d9258867e648d26d359061239cccebe6669daaf57a843e53d2049e6176f944e8576ff33ac0c71f9183c49e44e1f51489718962a33d9e8a155d26fdbd7f0

  • SSDEEP

    196608:lf8wZFR/l+SbRZEs4O/kNOqjoVq+4UIThroTj74d1m8qQKL+37OJ5Pi:lkI7/l+SbRZq8cORq+EThhdvLrQ5q

  Score

  1^/10
  behavioral1behavioral2

• • Target

    268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe

  • Size

    11.4MB

  • MD5

    2f3b5b60129dc43350bc54e67d59a4ac

  • SHA1

    08cdc5d4d0628c619897bf465f279f7d30d42b9f

  • SHA256

    268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0

  • SHA512

    725593bf2587bd1c2a8c5be02c168ad739010118f68606df1234a0aa1c31f582556a0139539f3068e7f174cd516956be608d05c6a597720138556a8a606fb749

  • SSDEEP

    196608:+XeSEzpCQdLjv+bhqNVoB8Ck5c7GpNlpq41J2mrl0bk9qtlDfJpNZYXz:q4PL+9qz88Ck+7q3p91JNRqfg

  Score

  10^/10

  discordratquasarr3persistenceratrootkitspywarestealertrojanupxexecution

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar payload

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral3behavioral4

• • Target

    =��S��.pyc

  • Size

    1KB

  • MD5

    f58b58a26971289673470a123d8844eb

  • SHA1

    deca47e82b022baaaaa88fc94453a17a105e6cf4

  • SHA256

    1a443e41b39dcc7be5a630e420f2bd2184a3ea4f4b9d168e1e97187037d9c454

  • SHA512

    0076eae4b56848db03e2fa90e799636f7c48f1ce965fe8d3def6270c0acd3d695da4ffd3b11eed18e29ac3408fb578b68d21f83e0e35d4976a02130488d8d91f

  Score

  1^/10
  behavioral5behavioral6