Extracted

• • Target

    extracted_payload-cleaned - Copy.exe

  • Size

    5.8MB

  • MD5

    bcff5526d0e5da9524a89b2dcc809cee

  • SHA1

    b8c321683058f79eb810e73d338caf292fc04611

  • SHA256

    a0161d709793136e815c902d928421ca5447ac394449a35ee529d85aed318251

  • SHA512

    a9101d4991c49c229b324e5313a9f92cdb489fa1aab68970cdf8189029ad4f30aa03a97c2441be800eec9995042656bc180d00632e8400f43b0c57c023185a53

  • SSDEEP

    98304:dVzA+NolR3oceUQ1spbvuKSUJ17LrbH4q8y1iYVk1OUkh54oZdxkOHYSM:7PNO3K1spbmxcrbH4a1iYVk1O15DUC

  Score

  10^/10

  quasarseroxenv15.0 | fifa23discoverypersistencespywarestealertrojanupx

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • Seroxen family

    seroxen

  • Seroxen, Ser0xen

    Seroxen or SeroXen aka Ser0Xen is a trojan fist disovered in late 2022.

    trojanseroxen

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2