Extracted

Extracted

• • Target

    1556f5c6d156be7f16a8ca03e06a2e86d81d4ad52c371219ba6fe6d588f28217

  • Size

    858KB

  • MD5

    81c903bf6c6adda5f374876e8460a2e6

  • SHA1

    591a1855a57c22b53e64f1d508a0632ef2f00828

  • SHA256

    1556f5c6d156be7f16a8ca03e06a2e86d81d4ad52c371219ba6fe6d588f28217

  • SHA512

    9e239d192a3bca873a582636ba3df51537f238a75106e836debfd40942a68b78495a2babf74475452950fafc82f717a4696d2d5ddf0e7b92a151bdc8b3727517

  • SSDEEP

    12288:7SkUEyq0tJpRGerwMI2HSmPRcvfawb6JPOiH:+kUEy9RGe0F2ypfn6JPO

  Score

  10^/10

  quasarredlinebotnet 4.2kmspicodiscoveryexecutioninfostealerpersistencespywaretrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Creates new service(s)

    persistenceexecution

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Uses the VBS compiler for execution

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2