General
-
Target
b373e9052f312689b1b3097c601ccb837917d52d9a0c10b6120457eb945bb1ac.zip
-
Size
358KB
-
Sample
250327-ds446awyct
-
MD5
d8e8eb242f1e9b13134bb35909c1a016
-
SHA1
9a92d48f5756ad145eaff960a628681c60a135ab
-
SHA256
b373e9052f312689b1b3097c601ccb837917d52d9a0c10b6120457eb945bb1ac
-
SHA512
75f800379e8fb35e2717b65c91ea6a48140034a1e76b01ab602656c0d110b99a3ee06fa2a097261c4529b125b574c4ec47b8205ab592f11181a83f5156814c81
-
SSDEEP
6144:ag8Z6QkYrLrFhpr2Hz1vHvZyPB3FbEXMKtGTiKkxEXxdMqSWYSTDylgSKUS:agmLHcJZyPBVbEMfXxyqSWYOul/S
Malware Config
Extracted
quasar
1.3.0.0
Office05
morelogs.thruhere.net:4788
QSR_MUTEX_vpuZcEVGdqV4nkKTlB
-
encryption_key
rHoRBOHzyexwZPVgy5QT
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
c8f09665c4c94041dd63191d0ea1b0f5092dc636eea7191242a7d7da9d7fa8b6.exe
-
Size
947KB
-
MD5
964efbbcba7f76c77d831f02fdc30de4
-
SHA1
1ec5e6ac8d0154eca145460e1b349cd49b06fb46
-
SHA256
c8f09665c4c94041dd63191d0ea1b0f5092dc636eea7191242a7d7da9d7fa8b6
-
SHA512
a78d5134be0c9c4cbe44fb63309f895946a666306b757622c3d7e715d3c87d056a24dcdcf8f3cd303424ad00861d113ec7aa812088015fb2ec07b2b018a3f990
-
SSDEEP
24576:IOdMrF///F53jIWQuTXIZK131ZEhNT8rlwR4QM:ah
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1