Extracted

• • Target

    27d5207d649ef2e091efce2af0d3a74ae771ad9ca64e9b7ac687d28bfdcd5afd.exe

  • Size

    6.3MB

  • MD5

    0ba849bd3847e7193ff7311c7bd79068

  • SHA1

    2b8c395ebf96c69d8aa1ffd72c700132c50b0b93

  • SHA256

    27d5207d649ef2e091efce2af0d3a74ae771ad9ca64e9b7ac687d28bfdcd5afd

  • SHA512

    118e0e231e5ea4d925daf73744480e0ecbc4e475803eea8b4864d9b323ac9f6b64024826b399efc0955f9aa6413e546e1ad2b71b4c4db6acf56872ddf7cf41b9

  • SSDEEP

    49152:UOKm91SNGfJpfpfGV+MuRtyKFdb2FXu7J2xePZaToBmn6vWEfta0Nq+e8NleZUoO:UO1NfJpfpXtyKjbF1Z080nZEVs+LeW

  Score

  10^/10

  quasardiscoveryevasionexecutionspywaretrojanbootkitdefense_evasionpersistence

  • Modifies security service

    evasion

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Sets service image path in registry

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Indicator Removal: Clear Windows Event Logs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2