Extracted

• • Target

    3b1bf937711e0b1f3b6e455d535cc4f0.exe

  • Size

    4.9MB

  • MD5

    3b1bf937711e0b1f3b6e455d535cc4f0

  • SHA1

    c13cd57da269a9c84f63787c87a2e503bb154ac7

  • SHA256

    647fb95e4fbe4daaaff5dd81e69c2cef8c12d8f5a6f7c95d88f67de72e542b06

  • SHA512

    2805b2e4f3fdce85dea17a355e559073db2bd00e4788d667a3cdf7cde9e77a459545a7494253fe0fc540cbc89c19e599b1616bd7a185cdd4000b01a6354e99f4

  • SSDEEP

    98304:j3GvI7nzlAi52DH1Emy/+hpC7FBV0CCqXqoOONza/IIA2ZeN9zE1m7:j3GvuSiIDHbM+G7Ff0s5NoIIA2M9w1w

  Score

  10^/10

  quasar4drundefense_evasiondiscoveryevasionexecutionpersistencespywaretrojan

  • Modifies security service

    evasion

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Creates new service(s)

    persistenceexecution

  • Stops running service(s)

    evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Indicator Removal: Clear Windows Event Logs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion

  • Loads dropped DLL

  • Power Settings

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2