General
-
Target
1528a6080656c5a8cf440d976047d7fa31e93e483c10142f416108f211145ff0.exe
-
Size
3.8MB
-
Sample
250115-cmq5nsxlbt
-
MD5
df29ee043d88f265cd76747f62ab3ea7
-
SHA1
0594a814e05c80618a72a865fa53d24fd351db5b
-
SHA256
1528a6080656c5a8cf440d976047d7fa31e93e483c10142f416108f211145ff0
-
SHA512
7826bc0582819fb165b25c21fd5a9385b47332201a464b8ae4a035d65f0b3c7ece75507ba0acfa92a6e8b55f2a18ba83344dbf3db264be7d43d3beb5796384a1
-
SSDEEP
98304:WhZ14lAzlFFzMsYLtZvQ1pVjLvAMQkWS27MtXE:WhZ1AAvFzMBNQTBIMQkXtX
Malware Config
Extracted
quasar
1.4.1
gasplant
toolsbox.ydns.eu:20901
33714128-68e4-4509-bd32-b7e414783d3eDtWike
-
encryption_key
43CBFE44C367A91A79A79C9E1778A82D0B498870
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
1528a6080656c5a8cf440d976047d7fa31e93e483c10142f416108f211145ff0.exe
-
Size
3.8MB
-
MD5
df29ee043d88f265cd76747f62ab3ea7
-
SHA1
0594a814e05c80618a72a865fa53d24fd351db5b
-
SHA256
1528a6080656c5a8cf440d976047d7fa31e93e483c10142f416108f211145ff0
-
SHA512
7826bc0582819fb165b25c21fd5a9385b47332201a464b8ae4a035d65f0b3c7ece75507ba0acfa92a6e8b55f2a18ba83344dbf3db264be7d43d3beb5796384a1
-
SSDEEP
98304:WhZ14lAzlFFzMsYLtZvQ1pVjLvAMQkWS27MtXE:WhZ1AAvFzMBNQTBIMQkXtX
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-