Extracted

• • Target

    Loader.exe

  • Size

    24.6MB

  • MD5

    0bbe9763f6ca8dde51dceecd8c15bf16

  • SHA1

    686df2ce62a32a65ca5e82b0ae3b00b243d3cb43

  • SHA256

    e8a3a56be00250fe8894b669c5409d05c50f5f0555039e0572b5056b269f24d9

  • SHA512

    631d262a6c434361fc214504540e1c50ea929971c5433724864d8e069028e767e09e2507ab83a9b7554dbb777568bb672ab6f771fc6d9a2c04f2027aa3cd4464

  • SSDEEP

    393216:ecTVwTQsEe+NUryAT551+swSSLgNJBoM5lELqwhXwazfb35x08kHHQgDnYF:echw0myATDhOLgfmMU6MfDQlH5nC

  Score

  10^/10

  quasarbarbuevasionexecutionpersistencepyinstallerspywaretrojanstealer

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Creates new service(s)

    persistenceexecution

  • Drops file in Drivers directory

  • Sets service image path in registry

    persistence

  • Stops running service(s)

    evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2