Extracted

• • Target

    89f1d675850c32ef010fc8f96e597fbb8ed41a9b92434688ffd1fc4be8002606N.exe

  • Size

    1003KB

  • MD5

    f1f907b229714e2a51a992a98f1dcea0

  • SHA1

    9ee1c94d609ebf7657c2c53740d264a7181fa4b2

  • SHA256

    89f1d675850c32ef010fc8f96e597fbb8ed41a9b92434688ffd1fc4be8002606

  • SHA512

    59e9baabc01ea92d10c645a9bf6a4872c426ee30c11dda7626e6c70ddc0d08946e935293292c614f2c028f330a00db3af9d680c05a754dc2c35df94473e24dda

  • SSDEEP

    24576:NGd7ccE0a+UXGSafMOjDs3Cb94oKnCV8LvxXa0qOvOZth:QAcE0a7X2MOTanCV8LdrqcQh

  Score

  10^/10

  discoveryquasarofficespywaretrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist

    discovery
  behavioral1behavioral2