Extracted

• • Target

    8aa12cb7cad072737aa9541b636a68bb_JaffaCakes118

  • Size

    2.2MB

  • MD5

    8aa12cb7cad072737aa9541b636a68bb

  • SHA1

    45b5e9bfda12f5de1338ca330b08132317684737

  • SHA256

    12415ec74ab9a1facbbda22b5618d4aaed954a880f7db45406060f2f252a015f

  • SHA512

    fca92073ee608b8233fa26079a5f55b5b4b118a48029b943987037cea7302806eb2bb601f8ff5e3715e3d46ca5f27941667c241148314b194eedfc2dd7bb96c8

  • SSDEEP

    49152:gz9oY5v/t14EmN0v8X4NbyhXers4a5ppHdKoCgzSZp6UzsGre245snxNX99AeP:KB5Hf4EmN0UXvia5vHcDgzSfB7iT0x

  Score

  10^/10

  quasaroffice04spywaretrojanvmprotect

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar payload

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2