Extracted

• • Target

    Build.exe

  • Size

    8.0MB

  • MD5

    5aeb840fa69ff4dcd8ba0816a2da1434

  • SHA1

    e710536efe591bb5cf24e3b4cd270775feffddb6

  • SHA256

    1f33f50f29b612c23fe2890fe9567c42e2512ae3c7818f3c60879665019bb4df

  • SHA512

    44c277c1fdd72b2e246bb511f4686df823636c41acaf8d2825c4399a216f48b6d037b9c197db6134464a5c54156648e8bf96dff72bda1426f58578de740a9f72

  • SSDEEP

    49152:zf+7HoOWA0PMlJmN8UkruiWIKYqAFs6eYfZVmBumJzMmbmMqoBLPg4NOW:zG7HlQ6Jg8RrucFs6e6ZV5mJQmbmNW

  Score

  10^/10

  quasarstormkittyoffice04collectioncredential_accessdiscoverypersistenceprivilege_escalationspywarestealertrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Stormkitty family

    stormkitty

  • Downloads MZ/PE file

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2behavioral3