Extracted

• • Target

    c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272

  • Size

    1.4MB

  • MD5

    f26ef938c2c4235c5e4cdb4ebb801fca

  • SHA1

    7c3413c638ea0c93cf2951cf05249df89bd98ff8

  • SHA256

    c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272

  • SHA512

    84d9d421b6794d412f55d8db296d55b46d25c0980da4a75eacf39d9ad912403bfd0a09142c907328df47b0a676826bd8a0ac422d6e89541da5ca49c13f073096

  • SSDEEP

    24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

  Score

  10^/10

  quasar-discoveryevasionexecutionpersistenceprivilege_escalationspywaretrojanupx

  • Modifies WinLogon for persistence

    persistence

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Modifies Windows Firewall

    evasion

  • ACProtect 1.3x - 1.4x DLL software

    Detects file using ACProtect software.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2