General
-
Target
filetest.bat
-
Size
7.9MB
-
Sample
250117-xsph9a1jek
-
MD5
f88d18fc65296a1ed460e40a352e3045
-
SHA1
f6d9d94da2f11d0485ca057a057a06ac492bde8c
-
SHA256
f3cbb5d82cd929211283435c7dd79e7c853449ad23e7d4895b9fc0427759ba7f
-
SHA512
f193edd5c475040928e188b756d27ecb2f61ef6a1d7392bdb62e6d5bcdd5c37272849a298e9cc6265b5f67890881971ecf28f93e98edd90f6f536190999ed367
-
SSDEEP
49152:h4ANZ4/rNl/dichvhGpPK7kMes5mmCq/BWZHtPrBe7XTADqoh6EKQJS2H/WkTb/2:6
Malware Config
Extracted
quasar
-
encryption_key
B98A458BCEB5C110558E7281A7F389412ABA4472
-
reconnect_delay
3000
Targets
-
-
Target
filetest.bat
-
Size
7.9MB
-
MD5
f88d18fc65296a1ed460e40a352e3045
-
SHA1
f6d9d94da2f11d0485ca057a057a06ac492bde8c
-
SHA256
f3cbb5d82cd929211283435c7dd79e7c853449ad23e7d4895b9fc0427759ba7f
-
SHA512
f193edd5c475040928e188b756d27ecb2f61ef6a1d7392bdb62e6d5bcdd5c37272849a298e9cc6265b5f67890881971ecf28f93e98edd90f6f536190999ed367
-
SSDEEP
49152:h4ANZ4/rNl/dichvhGpPK7kMes5mmCq/BWZHtPrBe7XTADqoh6EKQJS2H/WkTb/2:6
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-