General
-
Target
quasar-1.3.rar
-
Size
5.2MB
-
Sample
241218-dvyp6asldk
-
MD5
d5e18c5b64f3b41553e3910a9a3a7700
-
SHA1
1ba910ee7e0d505a62369b3eae84c17c313e322b
-
SHA256
dfa03e874601afc2e2b2d3ce8646b6cdce69da7baa751847299ee6e2208d5d7f
-
SHA512
05915a3ce42ba3691635770e9b46711fc9a28b556156cd9bf5a292b70c8c58807344dca047d242d39dce00a21ec1463e82d88c3a1f1a245097288ed97348d426
-
SSDEEP
98304:Rh2T1DA6eY+h5jBz6TSyfUHlQg+hcJqRWctXhz5VrCJ2Fht1OvMfP2ozpegpyuwg:Rh2SY+PNz6TSG8QWEXrVr8Qhts0fOoz9
Static task
static1
Behavioral task
behavioral1
Sample
EXIT/Exit.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
QuasarDependencies.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
QuasarScript.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
Start.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
img-recog.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
self-contain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
win/qwindows.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
quasar
1.4.0
YT_RAT
FlawGFX-25466.portmap.io:25466
b0e42180-0b07-43a4-8af5-751a530df10c
-
encryption_key
F38AD66AF1B37C4D9D83D6A35EA505EADBD633EE
-
install_name
UpdateScheduler.exe
-
log_directory
WinDefender_Logs
-
reconnect_delay
1500
-
startup_key
Windows Update Scheduler
-
subdirectory
WindowsDefender
Targets
-
-
Target
EXIT/Exit.bat
-
Size
309B
-
MD5
0838b9820c924566aae843284856fd27
-
SHA1
2631b94e6267cb4a05768d4cbc71604e2e1cb60c
-
SHA256
076b3dbf0da3f88989af8d57a0d18badb72d061e98fae95c2c0dbd8626575569
-
SHA512
4df450cbe36bfa64955591f3e147efac6f0da20ca18d509091c2ac3f7e39287761936973cfaf802634f80648362664ccfef39dd104999d8d03b71a64d0b35d8d
Score5/10-
Enumerates processes with tasklist
-
-
-
Target
QuasarDependencies.exe
-
Size
120KB
-
MD5
8e3e60ba2c742636546e314805e31c19
-
SHA1
cb09acc414a975f1d084183e0b5d2c5b7a77d339
-
SHA256
4d728486d5ccfc33c5853866da2e1549677181334552c36e0988bc4f64a208b1
-
SHA512
e4460b9dd06221c40388abaa7b912af67772ef159b5497406ef19399c5f8ad08edf0e9af1504048dc2a6b6cc2928027f657522ebecd412f986580b361eef56ab
-
SSDEEP
3072:EV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPKn:pt5hBPi0BW69hd1MMdxPe9N9uA069TBg
-
Quasar family
-
Quasar payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
QuasarScript.exe
-
Size
1.2MB
-
MD5
90ccd90706e5f5ecf0a4fd6301cf18c8
-
SHA1
141f82fc5e8ddf7c2b87cf71bf1f506d2a3f06d4
-
SHA256
44ab3d116f6c6318067f89ccb838b5198b6544469ec27557ca1de3655a6ceb96
-
SHA512
a8689448e4781013c6ae7a3744673f849d759954b91a341703897d5de6bdd1e08f43f03e8a71bdebd296d3d3b8a0928c39729b7a2044e095f0d4625c1325ca5c
-
SSDEEP
24576:nTgjYdbiDh2VehFCrs/vtp3+G44Bkl2uXn4zImcKbPJhSvW1o:ncj7hUehgs/D+G44Bkl2y4zgW
-
Quasar family
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Start.bat
-
Size
4KB
-
MD5
d8d7df6fe62f011b7458e01a921b574f
-
SHA1
7c9b3904e4dbc5814c6580ea7c4586245ef002d8
-
SHA256
66b039ce03cc3c839a1d9b1a2c56cecef889bfbab67da276bc1298698473cbaf
-
SHA512
3d2552d25dbe37fe9aa87b469256dc953a4b57cd1ab7a5fa418d25c287f7d2589ec5213f2373e17264e4dbe315212656ecf1afa92ea48ed63491a97d9bb80cae
-
SSDEEP
96:QQPgAM1IfSmnPlTil5zKYzWe+spCjtR1+:9emSmMpC5R1+
Score3/10 -
-
-
Target
img-recog.dll
-
Size
4.3MB
-
MD5
8d12ff5f45d8d892a79bd51ea846f968
-
SHA1
e83e7824094b996f877927dbb3f3e344afdd7c83
-
SHA256
abfe37fe6f990572d4eec6a0a6453d0b447e132db2daec956e3dae0bc0130094
-
SHA512
66081bd629202e985198ce1a59e2ef5fffe7b4f9e258c98c5a744b2a6748ad5115862f01cb4ced08fe85bdbac7ad647cb7d0f32060945f9ba47563ee05cdac04
-
SSDEEP
49152:VuRRMgmY1/8RyK96tW5RFD1NpC5mzE0b6HkjsBfP8syIwG26YSPDHYRy:EgzzzFD1NpsmzEPDn8syIwG26YQV
Score1/10 -
-
-
Target
self-contain.dll
-
Size
6.7MB
-
MD5
6d50542785d7962382c3756cd85ca12c
-
SHA1
4838742895b3a2450031d6c90768fe9bc9722f33
-
SHA256
0323c7fbd9a579f339b597b3e5f5b6e02814ae594f7fbc0cdd1786a5a32551ac
-
SHA512
c3f6ce45a901032052453565b01516a5ae81c41580e8dbdeffc45920692f8e7cdd0c4149c30ca07867be11f3964c6528f78a2de948d5eaa9aa1bab6f2b8cea0e
-
SSDEEP
49152:HfqBknrDA3ow7dogcjavaD/r5KNPbHubrjxS04Z9zQtHwmLUHG79ZMAnZE2kPflf:/qBzovx+9z6niYZlDwfpzGAE2vF
Score1/10 -
-
-
Target
win/qwindows.dll
-
Size
1.4MB
-
MD5
0e6d9926455b73c9e67de1e06f02ca19
-
SHA1
840c1ce586f8684b7d0e80dd0f1643a2bed4676d
-
SHA256
bf1a1e1fc37faf7a2f541674b66f0af5b3b70d753444c37cec9259fbf84f36ea
-
SHA512
45bc1a205b1059975aa36d724ffd2f5849a0f1b11a01d1ae902f9d8a646e9101bbb059effbf83ffd7bf942c54516a7cf52f2ca66a87b8824f14f4a877acc7bcf
-
SSDEEP
24576:E8uYu9qnyYrrFC5ZNxpQdFfwH73BiJu5Guel76wZbqtFV:hacnyYrrFCbNjKxwH73Bi3x0JLV
Score1/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1