General
-
Target
FlashingSoftwarePRO.exe
-
Size
3.1MB
-
Sample
241221-r5ea6a1qcm
-
MD5
d608c278bb35e4d55f2eeaecc8ece49d
-
SHA1
93370de0c6c6b4d8bffc5404c21957abef47cf89
-
SHA256
cc0d6761367830ea42949aad6b71ad8c7594f3f78761729abf09c5c033eba097
-
SHA512
be06f91ab0e0b219c533cf42e2b2bcae79decf394bb323cb95cef17684bea1159e6ef7d0afce189160ca0fee941d4f3846bdcf42630b4f0cc8c28f9b6520c5c5
-
SSDEEP
49152:wv5go2QSaNpzyPllgamb0CZof/JWlxNESERk/iOLoGdeGETHHB72eh2NT:wv6o2QSaNpzyPllgamYCZof/J8xAwu
Malware Config
Extracted
quasar
1.4.1
svchost
7.tcp.eu.ngrok.io:10771
7.tcp.eu.ngrok.io:4782
4.tcp.eu.ngrok.io:4782
4.tcp.eu.ngrok.io:11979
4.tcp.eu.ngrok.io:12435
4a2cf556-ea4e-4232-8c01-04513a7e9154
-
encryption_key
BDB44181C868606DFCA1741A69056AAA62DADEFC
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
300
-
startup_key
RuntimeBroker
-
subdirectory
System32
Targets
-
-
Target
FlashingSoftwarePRO.exe
-
Size
3.1MB
-
MD5
d608c278bb35e4d55f2eeaecc8ece49d
-
SHA1
93370de0c6c6b4d8bffc5404c21957abef47cf89
-
SHA256
cc0d6761367830ea42949aad6b71ad8c7594f3f78761729abf09c5c033eba097
-
SHA512
be06f91ab0e0b219c533cf42e2b2bcae79decf394bb323cb95cef17684bea1159e6ef7d0afce189160ca0fee941d4f3846bdcf42630b4f0cc8c28f9b6520c5c5
-
SSDEEP
49152:wv5go2QSaNpzyPllgamb0CZof/JWlxNESERk/iOLoGdeGETHHB72eh2NT:wv6o2QSaNpzyPllgamYCZof/J8xAwu
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-