Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
lchs.txt
-
Size
3.4MB
-
Sample
240925-txkjbaycjb
-
MD5
45135fb081a6c819f57b8af5d643fa0a
-
SHA1
41d53a31c8fd14780eb5ddbed85bc893c537d8b1
-
SHA256
02c614d149eeba84d88bb0bf9054c63a43edd5ae2993d3cb45b669cd7e590662
-
SHA512
a013dc1e56ff12ad7a2137de92a2b154bbe1563ef19a7770ad3241d4218946db4811c06b92e06dfee29fd7ff8e7e679474005ccea80abd8dd6ef1476ee39d29c
-
SSDEEP
98304:/zUa0ps1XffeC+/qLwLi0mRqDZwqRY9GBN/txR:/zBUEmCbLsi0mEDmqR/zR
Malware Config
Extracted
quasar
1.4.1
25-09-2024-msc
193.124.33.141:4782
b4f4a566-ecdf-4f60-b8dc-d8a1a60e842f
-
encryption_key
DD459BB92A43EF8EEB2FE401C8453F685AECE590
-
install_name
ChromiumDaemon.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Chromium Extentions Service
-
subdirectory
ChromiumExtentions
Targets
-
-
Target
lchs.txt
-
Size
3.4MB
-
MD5
45135fb081a6c819f57b8af5d643fa0a
-
SHA1
41d53a31c8fd14780eb5ddbed85bc893c537d8b1
-
SHA256
02c614d149eeba84d88bb0bf9054c63a43edd5ae2993d3cb45b669cd7e590662
-
SHA512
a013dc1e56ff12ad7a2137de92a2b154bbe1563ef19a7770ad3241d4218946db4811c06b92e06dfee29fd7ff8e7e679474005ccea80abd8dd6ef1476ee39d29c
-
SSDEEP
98304:/zUa0ps1XffeC+/qLwLi0mRqDZwqRY9GBN/txR:/zBUEmCbLsi0mEDmqR/zR
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1