General
-
Target
Obekrftade974555.crdownload
-
Size
8.9MB
-
Sample
241204-lm4kfaxjaj
-
MD5
77bd329d9e4ce7dc9c2b31b3833a6ca0
-
SHA1
46f6df3fbfdb6359260c4d21e907aa158478be6f
-
SHA256
cf00bf0d9259ac2976f1eae1a5f2af6306ccaf38d5b4643c0a852b6887073f74
-
SHA512
b57f24bf82a3fa4c0e7820aa50680f4fa496c741a9c9a2a4ab56f6188a51fc6c325fd439f4f4c683d36115f4aab026176714a75942e543e9919bc10c2c5b510b
-
SSDEEP
196608:19be0rX+BaOcbGQgp7RyMp2Ca2l3F+eCwMp7IDQkc11rwzjAeYEl3tTkkqm/:DrOJpRyMpjlVWw4IDPjtTdn
Malware Config
Extracted
quasar
1.0.0.0
v15.6.3 | xen
studies-royal.at.ply.gg:31849
usa-departments.at.ply.gg:37274
category-in.at.ply.gg:42204
bd62476d-8a2b-4e05-a8e5-68cc94baac4f
-
encryption_key
AA41DD5506DCFCA6EE3BF934CC3C9319F80E5E10
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
5000
-
startup_key
$sxr-seroxen
Targets
-
-
Target
naive-stealer-main/Naive Builder.bat
-
Size
12.8MB
-
MD5
a2e3e4286e8b22b3b021a6706b899dd7
-
SHA1
e6179204735421c3927f27c13f9751af1dce9bd2
-
SHA256
efd80dd8487437f58413be6e7d2da6ea866ae7626b3225dbf326e8c82c85e580
-
SHA512
3ff5d19accd1fa6765ffc3554bb9cfe3989eee4cf226c2ce7abbaff47a1586253ab1b408f4f9e47611ea7d2415f3298b12dfada1d1987d43c2efa16aac11e3e8
-
SSDEEP
49152:JZHKpAhg6/Ri76PuM0gcqQP+GBRa1SgA+754EU1kOeTUliFDvnrNqjdsusoj8nNc:e
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
1Hidden Window
1