General
-
Target
4.vbs
-
Size
272KB
-
Sample
250130-kxmt1aylhn
-
MD5
46cb37a9ab59dfa43f3e4412c9482837
-
SHA1
4409a0080e076e663e8da28a02c1e3ced1f39ba9
-
SHA256
b6a92aac9266f84cded9a49758a8f40221c9d6f424dd6408c83e7d44d548f4ae
-
SHA512
7e186b8b077d9ad0f71dad3663d0c5ad283da8e7b242b53f482e2a54b3a32ef0a9c12a599baaf514a4231cb9dbf800f956066ecd0a563361ad2e1af461526219
-
SSDEEP
6144:xwP7sgNytypIj9WuIUaZ8z7zC2rPKwBEf+2y/twjgqM5NAq:y7syytHs3UoK2wB++2yu4
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Targets
-
-
Target
4.vbs
-
Size
272KB
-
MD5
46cb37a9ab59dfa43f3e4412c9482837
-
SHA1
4409a0080e076e663e8da28a02c1e3ced1f39ba9
-
SHA256
b6a92aac9266f84cded9a49758a8f40221c9d6f424dd6408c83e7d44d548f4ae
-
SHA512
7e186b8b077d9ad0f71dad3663d0c5ad283da8e7b242b53f482e2a54b3a32ef0a9c12a599baaf514a4231cb9dbf800f956066ecd0a563361ad2e1af461526219
-
SSDEEP
6144:xwP7sgNytypIj9WuIUaZ8z7zC2rPKwBEf+2y/twjgqM5NAq:y7syytHs3UoK2wB++2yu4
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1