Extracted

• • Target

    Cool.exe

  • Size

    7.4MB

  • MD5

    a4ca130e28b42a5cadb6499ecdb8cbf3

  • SHA1

    d3a6e00243b76e6d549a5978fe4cfd2be00c6762

  • SHA256

    58b023b2f159ddc8d2980121e1d92f4c9d3191f215772c00e8b4979c96612f22

  • SHA512

    4733614f8416eaff00e85e1eb51f7123dbd6b818e83ead795039c650b7f48538c8a0b5d846e654b8a329ea8e0a9b555bd7526dda743fba26a93c3a3c77ad7e87

  • SSDEEP

    196608:HMRAj7qnuvwmR+hd5s4iMket2/cEbC/julftfuhk7BxB:1Qg+5cRC2FfUkVT

  Score

  10^/10

  executionquasardefense_evasiondiscoverypersistencespywaretrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Sets service image path in registry

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Indicator Removal: Clear Windows Event Logs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2