General
-
Target
ogpayload.exe
-
Size
507KB
-
Sample
250116-jldxaazkgz
-
MD5
4e7b96fe3160ff171e8e334c66c3205c
-
SHA1
ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f
-
SHA256
e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c
-
SHA512
2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48
-
SSDEEP
6144:mMqQ4i1FFiEKS5huOMGOjBbqSJvoUdy6RIQ9+F2q7N5YrKywP:XpliiqGOj4S5oUdy6WPPYWywP
Malware Config
Extracted
quasar
1.3.0.0
School
gamwtonxristo.ddns.net:1717
QSR_MUTEX_M3Vba1npfJg3Ale25C
-
encryption_key
VtojWKM7f1XyCVdB41wL
-
install_name
comctl32.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender Startup Scan
-
subdirectory
Windows Defender
Targets
-
-
Target
ogpayload.exe
-
Size
507KB
-
MD5
4e7b96fe3160ff171e8e334c66c3205c
-
SHA1
ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f
-
SHA256
e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c
-
SHA512
2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48
-
SSDEEP
6144:mMqQ4i1FFiEKS5huOMGOjBbqSJvoUdy6RIQ9+F2q7N5YrKywP:XpliiqGOj4S5oUdy6WPPYWywP
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-