General
-
Target
DarkMoon_Gen_1-3.zip
-
Size
8.2MB
-
Sample
240602-s59bzagg36
-
MD5
010dfa23e0867a4616a6ab1f2c082556
-
SHA1
ae16af6d8e7d57fa192ebb60f995d25d1d009c6c
-
SHA256
e3b738d063a721f7fbc486125d6ff34e238f1f1ff5561af2b6db80eec5ae5654
-
SHA512
40aa79df71c0db918895bf19dd717e8f04e620dbefcde7ea6cda3941fb26ca9baa6870f0e63cadd40897c487731e9ca4e02b6a5e6524d08d7ca1174036935e43
-
SSDEEP
196608:8HvvZPGmaJoKPfZCXh0YYyhVSXj8XN7rWtioPVOaYNC7TV:8PNGmgfUxbXNWTPVLYsTV
Malware Config
Extracted
quasar
1.0.0.0
v2.2.6 | SeroXen
seroooooxeen.chickenkiller.com:5059
f953c0af-702a-46b5-ad07-d900b11c5cd9
-
encryption_key
458790DC6E62EEB3043B4566BF95CDAF711F1EC0
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
Targets
-
-
Target
DarkMoon_Gen_1-3.zip
-
Size
8.2MB
-
MD5
010dfa23e0867a4616a6ab1f2c082556
-
SHA1
ae16af6d8e7d57fa192ebb60f995d25d1d009c6c
-
SHA256
e3b738d063a721f7fbc486125d6ff34e238f1f1ff5561af2b6db80eec5ae5654
-
SHA512
40aa79df71c0db918895bf19dd717e8f04e620dbefcde7ea6cda3941fb26ca9baa6870f0e63cadd40897c487731e9ca4e02b6a5e6524d08d7ca1174036935e43
-
SSDEEP
196608:8HvvZPGmaJoKPfZCXh0YYyhVSXj8XN7rWtioPVOaYNC7TV:8PNGmgfUxbXNWTPVLYsTV
Score1/10 -
-
-
Target
DarkMoon_Gen_1-3/lib/main.exe
-
Size
340KB
-
MD5
f3c021dbce0cd670f15415c3aa6b83aa
-
SHA1
433842e6529c6df685da1317bfd69d2ea0c85cca
-
SHA256
c147148fa809e238efc3e60b2ed129a93f11694b31d194f7347ddfbb6b82ba20
-
SHA512
5690f12b45819cf28dfc350d3e362f172f1f589b9614b639f995e1bb56ea8fcb87b3058323998f33dd3637b48f00d596c63866cfde7172a3ac664fac110a6f66
-
SSDEEP
3072:eahKyd2n3175Ctbq6rw3VScvNSAh8CndDOMrt1nW:eahOql+UcsMra
Score6/10-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
DarkMoon_Gen_1-3/lib/uni.bat
-
Size
12.6MB
-
MD5
8e3d8ed6db7cb979d5d56c8b847cc965
-
SHA1
5d1ad752a988ce13da601448cdca5584610cffee
-
SHA256
9d0b440b61b239bc3406d67bf7ae8baf1ceef65923e8558ce3a3c1a3c4a5e22a
-
SHA512
d7a96420b1e61c4bc7db6c533704771e329239629201dbf34ac8a95a931da92c6e1d7ddb694a491656246b0eb491e96d194b7abccf54ef757c1aea92a9b96a0e
-
SSDEEP
49152:Hq8mcjsXbvlusR48pNIN/I/EiFTPbYWLP17DFNkKuri3NSbkpXYyr7arOR150kFB:o
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
DarkMoon_Gen_1-3/starter.bat
-
Size
51B
-
MD5
abc778ba27885c72f364ad89b1306862
-
SHA1
2d4bfe8e2de4390109e8fa786ad47ec68daeaffe
-
SHA256
97c5438395ba799a673564195db730de8d9742a7a141566fa7c9075c46e3a039
-
SHA512
65a9bcdb3493526dd0b340aacabd30cd2e577a03cac920341e7be041e8de133ced0ab45c14a2509fbbd6f2451ac3ef1f5d520328d44f06aa4af6bfb122991f8f
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
3Hide Artifacts
1Hidden Files and Directories
1