Extracted

Extracted

• • Target

    7a56b9a7be5d627a61b4fcd3716b73aefa76ecbe38c8edc5c11b47dedb3b888b.exe

  • Size

    6.7MB

  • MD5

    818c5a007a2075f7c56eb69b75d12acb

  • SHA1

    2f33d50e879a18ff744424855d6356bae8f2d5d9

  • SHA256

    79712e68d88a6d2d87555f24f9dc767868289ce0e70000c14e3e72df1b4a58f9

  • SHA512

    f15717749deac968f48ac8c5df01368735658eca535efa19c1b5c2bcb3a1b1f065baa05b609b6526c384a6800b78adccfc8249aab8e7ce411041575303da8ec4

  • SSDEEP

    196608:hwy9GeDVI5DKBWZlkgJedYs6LtYdEhqTgKDSy3n1B:hwykYVI5DK2NNs6LtYdEhSp24B

  Score

  10^/10

  quasaroffice04agilenetdefense_evasionspywarethemidatrojandiscoveryexecutionstealer

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Drops file in System32 directory

  behavioral1behavioral2