General
-
Target
Zer0.bat
-
Size
586KB
-
Sample
240608-rcdtxscc5t
-
MD5
23e8182ee8e5dc33add24206b72fe1b2
-
SHA1
744ef302e11c315fa8af3d2ba2830fdc326110ac
-
SHA256
c8c3dd02b8fea2a4f8a1eadd7c62d79dfcb147e9766692ee6de40fb6f9cd6ae6
-
SHA512
520911a8894efb73dcadf73a74a1721e852979eea54255160819e6485b40f4026216fa70f7d008c5762edc26a6a241bf216c1ef358ee97fb08a3c823a4cbb32d
-
SSDEEP
12288:2biIH9WV384D1jj9b88u/srbgkaeJwETjUjnTqTlPaJT1LQ6:2bin+459b8usq9ojT+iJ3
Malware Config
Extracted
quasar
1.3.0.0
Nigga
runderscore00-61208.portmap.host:61208
QSR_MUTEX_8JC7DdKcgnk4fSVaPC
-
encryption_key
03SyClWuZ5C4OQvoBqUJ
-
install_name
Zer0Spy-Main.exe
-
log_directory
$phantom-Logs
-
reconnect_delay
3000
-
startup_key
Powershell
-
subdirectory
$phantom-zero2
Targets
-
-
Target
Zer0.bat
-
Size
586KB
-
MD5
23e8182ee8e5dc33add24206b72fe1b2
-
SHA1
744ef302e11c315fa8af3d2ba2830fdc326110ac
-
SHA256
c8c3dd02b8fea2a4f8a1eadd7c62d79dfcb147e9766692ee6de40fb6f9cd6ae6
-
SHA512
520911a8894efb73dcadf73a74a1721e852979eea54255160819e6485b40f4026216fa70f7d008c5762edc26a6a241bf216c1ef358ee97fb08a3c823a4cbb32d
-
SSDEEP
12288:2biIH9WV384D1jj9b88u/srbgkaeJwETjUjnTqTlPaJT1LQ6:2bin+459b8usq9ojT+iJ3
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-