General
-
Target
c983314c573fe3408730565056c78968b2fdf9dec5d6f67701bcd62eadc39ea4.vbs
-
Size
197KB
-
Sample
240517-ccx58scb5x
-
MD5
4730787ad81772f8d9b03ae8faf9efc3
-
SHA1
4d09795bab624a2dbeb62a14870693f8c0dc810c
-
SHA256
c983314c573fe3408730565056c78968b2fdf9dec5d6f67701bcd62eadc39ea4
-
SHA512
d7b28b0377fd0ec04d105a6c3ee3ae92ff98d29b3d8aa1d1c677817fad4b9816126eb4e7e23376d60dd1d263dd0e3ad182732b2e2c8ee0cfa54c64440fdaeaec
-
SSDEEP
384:z1OlYw8nrW9LrBppppppppppppppppppppNGpppppppppppppppppppppppppppf:sfirg/LNA
Malware Config
Extracted
https://pasteio.com/download/xcxWvykfm30a
Extracted
quasar
1.4.1
aldo_R3GON
peurnick24.bumbleshrimp.com:7310
77413eeb-5d1c-4bf8-986f-3c9d48a16cd6
-
encryption_key
A3226D93494A561FEC5149605B952B09B55012C6
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
c983314c573fe3408730565056c78968b2fdf9dec5d6f67701bcd62eadc39ea4.vbs
-
Size
197KB
-
MD5
4730787ad81772f8d9b03ae8faf9efc3
-
SHA1
4d09795bab624a2dbeb62a14870693f8c0dc810c
-
SHA256
c983314c573fe3408730565056c78968b2fdf9dec5d6f67701bcd62eadc39ea4
-
SHA512
d7b28b0377fd0ec04d105a6c3ee3ae92ff98d29b3d8aa1d1c677817fad4b9816126eb4e7e23376d60dd1d263dd0e3ad182732b2e2c8ee0cfa54c64440fdaeaec
-
SSDEEP
384:z1OlYw8nrW9LrBppppppppppppppppppppNGpppppppppppppppppppppppppppf:sfirg/LNA
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables containing common artifacts observed in infostealers
-
Detects executables packed with Yano Obfuscator
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-