Extracted

• • Target

    7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394

  • Size

    6.0MB

  • MD5

    fcd7f27674626fbf8bcce5b0e991c03d

  • SHA1

    143515e84e3b48e5bc5286d819f8fd10b8eb5685

  • SHA256

    7462c344e88e0cf17eeea4e7b52776bb973cb1e07be2225d429cc0bf1187d394

  • SHA512

    3464f2200c9eedd17872842b2336786360b34a4bb2f0709b29cb1a8f794b437532193275b43378149424e2d651dba66657d850ccb37e613cb73e76d8a36b98f6

  • SSDEEP

    98304:j3Go5BKtxo5fQIwuhk/UwalC+i0bBHXGgjaQx+OhfzTxzdloaDW:j3GozKYAEk9oCj0bR2Ej1hbTxkJ

  Score

  10^/10

  quasar4drundefense_evasiondiscoveryevasionexecutionpersistencespywaretrojan

  • Modifies security service

    evasion

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Creates new service(s)

    persistenceexecution

  • Stops running service(s)

    evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Indicator Removal: Clear Windows Event Logs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion

  • Loads dropped DLL

  • Power Settings

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2