Extracted

• • Target

    f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b

  • Size

    5.5MB

  • MD5

    d39ebc382ec4e299ebfe7c2cc37677fc

  • SHA1

    b28d02f9d146248ef878a23d2cfba7c2be828795

  • SHA256

    f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b

  • SHA512

    44647f02fe00af43767162ace5b86480e47c3ef7a625775a25895a817d2be1fa93acffa5767253422735891c6259fcb9baf1afb46407d8e53db68ecd10aaa51a

  • SSDEEP

    98304:RmBng9T/DSjSHtu4ffZN238DqQcBrcM7LacCmpfqAZekM5s3iD56lbSzfk:Y6DSjSHA4ffZI38kBPfacCmpCAZekM5c

  Score

  10^/10

  quasarrevengeratofficebootkitdefense_evasiondiscoverypersistencespywaretrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat

  • Revengerat family

    revengerat

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2