General
-
Target
btc.bat
-
Size
4KB
-
Sample
241119-jl755asfql
-
MD5
8e8686c27f34f377faca7502ea53d892
-
SHA1
c0c10d5cf6e829078e2b7ddd8d75f285b20476e6
-
SHA256
d16f93e57cac8170ee50e5c50a62c242de0ff7b78d707f218f344c779f30d3c4
-
SHA512
2be3631f86fe9f49986c27cc5ee9f6d2c193c61e1f9257949c90127f8748f13bd2965cac80b62e8da982f643d367a81a5750d5b95210a9e501998b5ce75caa51
-
SSDEEP
96:1j9jwIjYjUDK/D5DMF+BOiVAZLxuZLqmXSrRU9PaQxJbGD:1j9jhjYjIK/Vo+t6LxuZ2mCry9ieJGD
Malware Config
Extracted
xworm
5.0
lovejuice.cc:7005
ZlZcGFLUkihvhpyO
-
install_file
USB.exe
Extracted
quasar
1.4.1
iamnew
walkout.ddnsgeek.com:8080
afaa75be-362d-43d7-90d7-242414a4e4dc
-
encryption_key
6469F8C5BA9A2CFDCF4A3F1651D1E92DBEA41117
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
btc.bat
-
Size
4KB
-
MD5
8e8686c27f34f377faca7502ea53d892
-
SHA1
c0c10d5cf6e829078e2b7ddd8d75f285b20476e6
-
SHA256
d16f93e57cac8170ee50e5c50a62c242de0ff7b78d707f218f344c779f30d3c4
-
SHA512
2be3631f86fe9f49986c27cc5ee9f6d2c193c61e1f9257949c90127f8748f13bd2965cac80b62e8da982f643d367a81a5750d5b95210a9e501998b5ce75caa51
-
SSDEEP
96:1j9jwIjYjUDK/D5DMF+BOiVAZLxuZLqmXSrRU9PaQxJbGD:1j9jhjYjIK/Vo+t6LxuZ2mCry9ieJGD
Score10/10-
Detect Xworm Payload
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-