General
-
Target
SeronTest.exe
-
Size
3.1MB
-
Sample
241228-ltppvsxlbz
-
MD5
40d84af5b3499ad8d4485b8839db2f1e
-
SHA1
beba1013f026a44d45e15aaefb947cc40132d38d
-
SHA256
35d51e82e11a00d9bad3dab068867af8ea3b9859aee47ffd0d1e92a06afd6859
-
SHA512
4b7af63b4bbfd65584990bf14b7cf7088c7359dd5ff3d5d14c92d70c024e7c9ff8ecc9752cf830a2740fd2d30b88581083d81be6734492a29fcc6e211d1af07c
-
SSDEEP
49152:oee9cfJdeuEJD4iVUdzb7BGpNG+26vllqJ44hTorj+XyJ2pFnRcEHyaNkfc/hS4m:JgcRIjJDDVozb7BPCbGyrvJenyLyMmV
Malware Config
Extracted
quasar
1.4.1
Seron
nigeboc465-58875.portmap.host:58875
eb8602ec-8a0d-4322-b9a0-544571be5a2d
-
encryption_key
8BD9150EEC3DA71ED82080D7AEB7C165A58C889F
-
install_name
f8mk7ZGwVUpulm.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
f8mk7ZGwVUpulm
-
subdirectory
SubDir
Targets
-
-
Target
SeronTest.exe
-
Size
3.1MB
-
MD5
40d84af5b3499ad8d4485b8839db2f1e
-
SHA1
beba1013f026a44d45e15aaefb947cc40132d38d
-
SHA256
35d51e82e11a00d9bad3dab068867af8ea3b9859aee47ffd0d1e92a06afd6859
-
SHA512
4b7af63b4bbfd65584990bf14b7cf7088c7359dd5ff3d5d14c92d70c024e7c9ff8ecc9752cf830a2740fd2d30b88581083d81be6734492a29fcc6e211d1af07c
-
SSDEEP
49152:oee9cfJdeuEJD4iVUdzb7BGpNG+26vllqJ44hTorj+XyJ2pFnRcEHyaNkfc/hS4m:JgcRIjJDDVozb7BPCbGyrvJenyLyMmV
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Suspicious use of SetThreadContext
-