General
-
Target
a87ef622f73e2193432c26ec41124b09acfd2154f6bdebf099e8d9145894f44a.exe
-
Size
375KB
-
Sample
241231-nr8q3aylcx
-
MD5
55029651ecad5f3be071b6abafb56d90
-
SHA1
a008e8d91c2725eb16e42c3800ace5492a32416e
-
SHA256
a87ef622f73e2193432c26ec41124b09acfd2154f6bdebf099e8d9145894f44a
-
SHA512
83dc82b2aa027ebd62aeceb15b6ae1e71a72da16f557833b8439cda6dded817799748a06ef7721931626d06b687a57fc4be56f1e8846d6e9a6708ad757afb903
-
SSDEEP
6144:YbqQ4i1FFiEKZVSQZzs5jQKbgQ203StbjjSQkzaozVVqHk:CpliPScgCy73StbjjSQkVzV0Hk
Malware Config
Extracted
quasar
1.3.0.0
Authenticator
iamaskibiditoilet-58299.portmap.host:58299
QSR_MUTEX_bNzknSVeSVx21JnqhQ
-
encryption_key
wAIAzlOLR0d5V3YI1aCM
-
install_name
Runtime Broker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Runtime Broker
-
subdirectory
SubDir
Targets
-
-
Target
a87ef622f73e2193432c26ec41124b09acfd2154f6bdebf099e8d9145894f44a.exe
-
Size
375KB
-
MD5
55029651ecad5f3be071b6abafb56d90
-
SHA1
a008e8d91c2725eb16e42c3800ace5492a32416e
-
SHA256
a87ef622f73e2193432c26ec41124b09acfd2154f6bdebf099e8d9145894f44a
-
SHA512
83dc82b2aa027ebd62aeceb15b6ae1e71a72da16f557833b8439cda6dded817799748a06ef7721931626d06b687a57fc4be56f1e8846d6e9a6708ad757afb903
-
SSDEEP
6144:YbqQ4i1FFiEKZVSQZzs5jQKbgQ203StbjjSQkzaozVVqHk:CpliPScgCy73StbjjSQkVzV0Hk
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-