General
-
Target
94b4b5b599c81c62f2ea6c44530f0058cf7e42c11ab9b6f16fd78bdfe5a5f44c
-
Size
3.5MB
-
Sample
241113-v6kq4swena
-
MD5
36bdeb5656d37e4312f946c6c1e630db
-
SHA1
586f4524a1f5404dd03009da2d3b2e7eb894bc67
-
SHA256
94b4b5b599c81c62f2ea6c44530f0058cf7e42c11ab9b6f16fd78bdfe5a5f44c
-
SHA512
8ae0ff67c163e6ec0bb6b3c2b479d0714db270ca043e49e6dd721ecbd7aff10a80eb729f4b8996a77f90c2db9b938f8942cba3760c590c410321328861e0530c
-
SSDEEP
98304:ndBGsvKSM7gRcSt4K1xDhRIZ3u+hWEv7Kz+:uSyKcyrb+Rjm+
Malware Config
Extracted
quasar
1.4.1
08-10-build
crostech.ru:4782
6792b0f6-5ede-4aec-96ea-721d3f317462
-
encryption_key
DD459BB92A43EF8EEB2FE401C8453F685AECE590
-
install_name
ChromiumDaemon.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Chromium Extentions Service
-
subdirectory
ChromiumExtentions
Targets
-
-
Target
94b4b5b599c81c62f2ea6c44530f0058cf7e42c11ab9b6f16fd78bdfe5a5f44c
-
Size
3.5MB
-
MD5
36bdeb5656d37e4312f946c6c1e630db
-
SHA1
586f4524a1f5404dd03009da2d3b2e7eb894bc67
-
SHA256
94b4b5b599c81c62f2ea6c44530f0058cf7e42c11ab9b6f16fd78bdfe5a5f44c
-
SHA512
8ae0ff67c163e6ec0bb6b3c2b479d0714db270ca043e49e6dd721ecbd7aff10a80eb729f4b8996a77f90c2db9b938f8942cba3760c590c410321328861e0530c
-
SSDEEP
98304:ndBGsvKSM7gRcSt4K1xDhRIZ3u+hWEv7Kz+:uSyKcyrb+Rjm+
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1