General
-
Target
389c77b4d588a7264038f89766fff7cb90e204b1168a05350a61c86c6e70e87aN
-
Size
816KB
-
Sample
241027-tkc9gaxjan
-
MD5
11ec645f6c65c2a60ac9c8076511e460
-
SHA1
6095caa8b0790e6acf1354f03d7b9f96068c3c77
-
SHA256
389c77b4d588a7264038f89766fff7cb90e204b1168a05350a61c86c6e70e87a
-
SHA512
0e8be6b5cdd90b78046e015ee899dc43d88358d4c840477a1cbc10cd40144e67c23326861639fd96c5d93571b479d1494b61313e34a3fb3bff0f10207cbdf2a4
-
SSDEEP
24576:mElnsFEcdvyHasjGX+oDeYVfh+vnkm51sdyU:HlnszqCXPeYckW1sdyU
Malware Config
Extracted
quasar
1.3.0.0
Office04
ronymahmoud.casacam.net:4782
sk.servemp3.com:4782
QSR_MUTEX_ewyaHKCedalfiUvTpL
-
encryption_key
6LTEKnkEacVI1BGQJRaJ
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
389c77b4d588a7264038f89766fff7cb90e204b1168a05350a61c86c6e70e87aN
-
Size
816KB
-
MD5
11ec645f6c65c2a60ac9c8076511e460
-
SHA1
6095caa8b0790e6acf1354f03d7b9f96068c3c77
-
SHA256
389c77b4d588a7264038f89766fff7cb90e204b1168a05350a61c86c6e70e87a
-
SHA512
0e8be6b5cdd90b78046e015ee899dc43d88358d4c840477a1cbc10cd40144e67c23326861639fd96c5d93571b479d1494b61313e34a3fb3bff0f10207cbdf2a4
-
SSDEEP
24576:mElnsFEcdvyHasjGX+oDeYVfh+vnkm51sdyU:HlnszqCXPeYckW1sdyU
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-