Extracted

• • Target

    c28e37ce98cb20850ba164913c668995822e38c35c491d5ca0e5ec206148b578N.exe

  • Size

    3.2MB

  • MD5

    77d75d34a217ca48d26b72d6bf8dedb0

  • SHA1

    9a623c8553fec5ccceb7b0de3d1b828da3a49ac2

  • SHA256

    c28e37ce98cb20850ba164913c668995822e38c35c491d5ca0e5ec206148b578

  • SHA512

    0334623cf7192350bfb8f15a02b273d9cc8e9504f8a04aab0db29e4bfa25e1cc36f35fa2017da73a331caad6aaa893b4b99c9e891071f3b43959f4ad000f53bc

  • SSDEEP

    98304:j3Gv5mmQ4yVPgp5qG8AbuF+taoPKN494tP+DLA1s2x:j3Gv5mmQ4yVPgp5qG8AbuF+ta+KN4yt9

  Score

  10^/10

  executionquasar4drunevasionpersistencespywaretrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Creates new service(s)

    persistenceexecution

  • Downloads MZ/PE file

  • Stops running service(s)

    evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Power Settings

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2