General
-
Target
file.exe
-
Size
3.0MB
-
Sample
241208-y29ffsylbp
-
MD5
25ae2a8e59da886dbc3192b12e000ffa
-
SHA1
c384fbee5a29be18571d293c1e20a36d044bd86a
-
SHA256
d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4
-
SHA512
246a2948f880231fe597a4c6cfb1f8acbbc7173f73752532dd2049697cd4165c6d1e966a1a598d260053e1f4aeebf0472ffedc4aec56c8233899c965c7fc6736
-
SSDEEP
49152:auZju5PuuzE2wJMTFuUPHghJW5eqdCMuWnLBuU5ZHWIcCm:xjuFumw0Fu2gho5e4nLB5L
Malware Config
Extracted
quasar
1.4.1
Office04
45.200.148.155:6060
4b3820e0-d123-49d9-b51e-3c4daa4f6874
-
encryption_key
F8879E9B26846C57C99B6F152F74703E1CC15B8B
-
install_name
SecurityHealthSystray.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SecurityHealthSystray.exe
-
subdirectory
SubDir
Targets
-
-
Target
file.exe
-
Size
3.0MB
-
MD5
25ae2a8e59da886dbc3192b12e000ffa
-
SHA1
c384fbee5a29be18571d293c1e20a36d044bd86a
-
SHA256
d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4
-
SHA512
246a2948f880231fe597a4c6cfb1f8acbbc7173f73752532dd2049697cd4165c6d1e966a1a598d260053e1f4aeebf0472ffedc4aec56c8233899c965c7fc6736
-
SSDEEP
49152:auZju5PuuzE2wJMTFuUPHghJW5eqdCMuWnLBuU5ZHWIcCm:xjuFumw0Fu2gho5e4nLB5L
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-