General
-
Target
build.bat
-
Size
14.0MB
-
Sample
240517-wvjv4scc52
-
MD5
ef8beb81c6fa2aaad4a314be361292ce
-
SHA1
7b7296096931ac5d62081cc91ead8afd2346e0c7
-
SHA256
6377476be087b6911f24f93a601fd8f46461f52815ec27f95371c8418c385377
-
SHA512
8ffa18e66e4e8a3a23eb7c2375fa6b25aab90da3265f35d56ea9965f8d2c89a988052bbd0e05c0b3b3c124cb5e9f47b0b6ab5ea0df3b880d449fd3ff2a25767f
-
SSDEEP
49152:Lhha5TtF7ZXKxZvLjnrt64H1eGHrWT7xdJ11ar07nqcBIL/ULWorCWmZ9vXEdQm/:E
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Targets
-
-
Target
build.bat
-
Size
14.0MB
-
MD5
ef8beb81c6fa2aaad4a314be361292ce
-
SHA1
7b7296096931ac5d62081cc91ead8afd2346e0c7
-
SHA256
6377476be087b6911f24f93a601fd8f46461f52815ec27f95371c8418c385377
-
SHA512
8ffa18e66e4e8a3a23eb7c2375fa6b25aab90da3265f35d56ea9965f8d2c89a988052bbd0e05c0b3b3c124cb5e9f47b0b6ab5ea0df3b880d449fd3ff2a25767f
-
SSDEEP
49152:Lhha5TtF7ZXKxZvLjnrt64H1eGHrWT7xdJ11ar07nqcBIL/ULWorCWmZ9vXEdQm/:E
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-