Extracted

• • Target

    2e284063972d9c16b37eba5bf7503f6a79aab6dbc3f26b60627302be448f3897N.exe

  • Size

    6.0MB

  • MD5

    6b8c0e3bab587b028a11ef1aacc32b90

  • SHA1

    4c64932f679115a04005996fe7fec25984952cfb

  • SHA256

    2e284063972d9c16b37eba5bf7503f6a79aab6dbc3f26b60627302be448f3897

  • SHA512

    1e51f5f8262cabce43cd8176fdcfe78e4c796a2d840f3c6be93af559b8c8572a2496049ced6da0d76a7657d950e63b7c08bdf7254ef07ebd9f688825ad7beeb2

  • SSDEEP

    98304:zssvcXkkICDN8PEIvec1K88905+bUs9BAMgFhwvjEt88HoMyj6u2WRJtvT:tvc0khx8PScrkVjhgFhJ4Ksj

  Score

  10^/10

  discoveryquasarblackmagic design davinciexecutionpersistencespywaretrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Power Settings

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2