General
-
Target
KindswaterAG-TG4554476-MEXICO-2024-300994.xlsx.arj
-
Size
256KB
-
Sample
241206-nscp1s1ngq
-
MD5
77aa27952197c103763cdcecb1464d9a
-
SHA1
f094e2f50059eb216bd4415f994fd3eb395c361d
-
SHA256
4b8f3233bf928426a554b604c17442a3b89c48d265df8ceceb5c725b98382394
-
SHA512
78d25606c6deb7b4af4e4f5aa1d4830407e56e9d8579265ddb75356fbc44dec260162ac917bae412a96c2559aa543942d2b338f4245750d0f1164912b2382a4f
-
SSDEEP
6144:2wIJBbg6ZdgSHtC/BXPZVJg83QkzZ1V9CZI2A9Mil9yuFV:LILOS07VJgMHjz8p+l8M
Malware Config
Extracted
quasar
1.4.1
chi
amaskdh.ydns.eu:6298
e3a0d936-49ca-41bb-a676-d392f4ae50e8
-
encryption_key
799E5C34BA6EC18D72E269D0C5CF1A5AC1AD9277
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Targets
-
-
Target
Kindswater AG - TG4554476- MEXICO-2024-300994.xlsx.exe
-
Size
894KB
-
MD5
39c057d5422f27e72679ab1fa0c6aa1b
-
SHA1
8f29d37e6622a11e6d0d46312a6b29de83453d7d
-
SHA256
9dee5f3211377a710f006088e99409270a3d2ca982ec26eac5473ea3bfa2ce8b
-
SHA512
516add8c7c1827692d57341904ecb3672f9c24bfeb65c1733847f7cd7253f415f0c8001c088edb38984982f98188d9245a425954599e074d6671d7f0c9c7bafe
-
SSDEEP
12288:rg8sz5/vszGcF03buni+oqt0y0eVohUH4/OU18WN2rQzVKMd:s8sdszGcF1iBqt50eVohUH1U1sM
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Drops startup file
-
Suspicious use of SetThreadContext
-