General
-
Target
193d9acadf1f7cb18bd295f774c644f34da72dbc10c2eccd39c858f55f320a2f
-
Size
7.0MB
-
Sample
240927-bkkz7szfng
-
MD5
8cad4d2de4a7be6bdb70a9554140f1a1
-
SHA1
6e9ba7b352ff16515f39acb5479636ba84b67428
-
SHA256
193d9acadf1f7cb18bd295f774c644f34da72dbc10c2eccd39c858f55f320a2f
-
SHA512
c90d28bff2011d6748619134747e9806eedf2a321059a0ee12f8b1ffe0305970879ffef8a64c5212048cc35266a2e541fcc0f18458701c4fc03ef0151b80ec05
-
SSDEEP
196608:GCdDUMZIOaN3e8iYIRlOdwxPAsfZs77AE0d8EEF7Sx:nGiIO6FiJNRctypz
Malware Config
Extracted
quasar
1.3.0.0
Valorant
hanekese.ddns.net:1005
QSR_MUTEX_vjIusnIFPVRxcR2xS4
-
encryption_key
5V49FWeqLdk5NQWJl6h7
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
mac updater
-
subdirectory
SubDir
Targets
-
-
Target
ValoaimV8.exe
-
Size
20.0MB
-
MD5
4ed9006d9970ee5f1ee6486cfc663ee6
-
SHA1
258fbba6e43c23ad9680576cc51a7c0906387354
-
SHA256
443be4b5119ad344755137062321a4f5c249e8fb95482183c21378ba93fd96bf
-
SHA512
952750f7e1a1182ed69ef837b0ea053a66ef1f65d8a534a2a445a660677fc19f2eca6aa66e25e6bafedd94bbf9ccd99e3feea63b0bbd8a36d8683f67c2c63daa
-
SSDEEP
98304:zrcxzdbM+Q2y+aq0mGRk2jOjFgFQlwq4Mjk+dBZtu9xTtwz/aer6/BbQEJ1nL2hS:zrcbf0mPEOjmFQR4MVGFtwLPCnL2hVcr
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-