General
-
Target
2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb
-
Size
3.2MB
-
Sample
240527-ylvx5ahb33
-
MD5
6c16807e4417e60366cde4515d148ab3
-
SHA1
b8212729ae453b48531c5331cfdaea3aa213cf85
-
SHA256
2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb
-
SHA512
eb448d72c2d7d74cae67cac46ebc0262e50113b40164d0c9837e4e0d481c23038f85a414dd92561fdbe5958ecdbaa86e8cdd921cc1cc2571eb96f9dd76cc2efe
-
SSDEEP
49152:6oHBs26nkjh/a3LlwLkl6cV0ymGIj5y60K9F8AA/qDTvyNUjqwZjAN+68OxcIzQW:9B6Wh/9L3clIVy6RwA29NGoN+3OWIzQ
Malware Config
Extracted
quasar
1.4.1
Office04
1`:4782
af2aa588-6605-4638-8da1-ae434f48b4a8
-
encryption_key
45ADA9B733F36F800D08E295E8F812611F35D087
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb
-
Size
3.2MB
-
MD5
6c16807e4417e60366cde4515d148ab3
-
SHA1
b8212729ae453b48531c5331cfdaea3aa213cf85
-
SHA256
2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb
-
SHA512
eb448d72c2d7d74cae67cac46ebc0262e50113b40164d0c9837e4e0d481c23038f85a414dd92561fdbe5958ecdbaa86e8cdd921cc1cc2571eb96f9dd76cc2efe
-
SSDEEP
49152:6oHBs26nkjh/a3LlwLkl6cV0ymGIj5y60K9F8AA/qDTvyNUjqwZjAN+68OxcIzQW:9B6Wh/9L3clIVy6RwA29NGoN+3OWIzQ
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables containing common artifacts observed in infostealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to get system information.
-
Suspicious use of SetThreadContext
-