Extracted

• • Target

    ec46d289d2a013fffc92559385cb6e168f18aa85acff11d80e8eb2c96cf343f4.vbs

  • Size

    273KB

  • MD5

    d3a2ad6fb6dab0fa9dc4372edd2e2c36

  • SHA1

    01e30df2eed8f6945c8705e1289f1a5fb874f9ad

  • SHA256

    ec46d289d2a013fffc92559385cb6e168f18aa85acff11d80e8eb2c96cf343f4

  • SHA512

    c698631d9d5c76b4e6d99a22d3057f0c030865098ab156eff7070c672230af0718dc970542cc96d31defe23ce1aa5b6ef4b42c41d2f1f60ee4ec10a54b9543a6

  • SSDEEP

    6144:uvpZGWTfNhok1a5w8PQAb4zfn2Lhi0XmQU8o:4pEYlM5w84icSh5Xm7

  Score

  10^/10

  discoveryexecutionpersistencequasarspywaretrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1behavioral2