General
-
Target
ShadowClient.bat
-
Size
1.8MB
-
Sample
250209-l3amasvmbn
-
MD5
ad49c9d99ba722ed70c4c2d36dc35a5c
-
SHA1
4128247edc2f472e57d305ce3ca1c03c4125eb08
-
SHA256
f3be425deec579961c261213f1a50065e1b12ccec5a0a2d7df1eed1adce2f438
-
SHA512
acdf14b53404f31efab720dbbb854a3e71b6c64f1125ed9c2895677239e40436d17d0159de0376c5e0e35a7d76f109d9ee6450939b98de4cf4e80475ac839c44
-
SSDEEP
24576:SzBY2ensySGbQGBc+8ZuuuZE9gngrghAcvZkOgrLREdcTGvB9tUMNTfTow+q7LIm:B0U8/LOg8hAX5EPpsqLNjfg6X
Malware Config
Extracted
quasar
1.0.0
Office04
185.208.159.150:7070
f11e5613-720e-4449-82c2-732abf016f5a
-
encryption_key
01C9467A5332046D70A97F8EE00AFEB90E173056
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
ShadowClient.bat
-
Size
1.8MB
-
MD5
ad49c9d99ba722ed70c4c2d36dc35a5c
-
SHA1
4128247edc2f472e57d305ce3ca1c03c4125eb08
-
SHA256
f3be425deec579961c261213f1a50065e1b12ccec5a0a2d7df1eed1adce2f438
-
SHA512
acdf14b53404f31efab720dbbb854a3e71b6c64f1125ed9c2895677239e40436d17d0159de0376c5e0e35a7d76f109d9ee6450939b98de4cf4e80475ac839c44
-
SSDEEP
24576:SzBY2ensySGbQGBc+8ZuuuZE9gngrghAcvZkOgrLREdcTGvB9tUMNTfTow+q7LIm:B0U8/LOg8hAX5EPpsqLNjfg6X
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1