Extracted

• • Target

    RonixBuild.rar

  • Size

    32.6MB

  • MD5

    fcb8ce41aa00cd3a26ef6f2c637311fa

  • SHA1

    fa1167f818f7c04eadb2a3257bfbfc1076c0028e

  • SHA256

    0a6345d0ff7553fe209f1f52818faa5b67736bee6ab92c862d70b79132a3688f

  • SHA512

    fc6bf51a74255de0ce7b0cd00ab330da706e085145789437841a465f17a3e6696a0570a2696d46a077cbe1b5c21f56b6186c8a89d2f32a7211418e3fcc9e050c

  • SSDEEP

    786432:etrwXxz4P/7DkQ8u4h1eRS94F3CDYiILZhv38ySKn:Gme7wbPiV/iMUyvn

  Score

  10^/10

  quasarofficedefense_evasiondiscoveryevasionexecutionpersistenceransomwarespywaretrojan

  • Modifies WinLogon for persistence

    persistence

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • UAC bypass

    evasiontrojan

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Disables RegEdit via registry modification

    evasion

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to execute payload.

    execution

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1