General
-
Target
2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat
-
Size
4.0MB
-
Sample
240624-kzwvpathqb
-
MD5
c8015ef5fd4928a90e064f2ef5aebc97
-
SHA1
e7258d245f886af77154fcb2838a1adadba34e94
-
SHA256
97787cbf8314dfd67bbb56e12489e8900022b3c31565b275f479bcaa9b9e7557
-
SHA512
9450336f760f3b1749f21203d992f3ef095164d3f1cf91ede05d157830a59e1a054b9c682fb5c6dee794604c944d34b7e03367bba03dbdcfbf51c1073d33010c
-
SSDEEP
98304:Qh81Y4zw2GFvr22SsaNYfdPBldt6+dBcjHtKRJ6Bf:by2KM7jGIf
Behavioral task
behavioral1
Sample
2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat.exe
Resource
win7-20240508-en
Malware Config
Extracted
quasar
1.4.1
Office04
mx5.deitie.asia:4495
ebbf737a-dddd-43dd-9b0a-74831302455d
-
encryption_key
F8516D89A1DFD78BD8FF575BBC3AE828B47FF0E1
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
2024-06-24_c8015ef5fd4928a90e064f2ef5aebc97_icedid_poet-rat_quasar-rat_xrat
-
Size
4.0MB
-
MD5
c8015ef5fd4928a90e064f2ef5aebc97
-
SHA1
e7258d245f886af77154fcb2838a1adadba34e94
-
SHA256
97787cbf8314dfd67bbb56e12489e8900022b3c31565b275f479bcaa9b9e7557
-
SHA512
9450336f760f3b1749f21203d992f3ef095164d3f1cf91ede05d157830a59e1a054b9c682fb5c6dee794604c944d34b7e03367bba03dbdcfbf51c1073d33010c
-
SSDEEP
98304:Qh81Y4zw2GFvr22SsaNYfdPBldt6+dBcjHtKRJ6Bf:by2KM7jGIf
-
Quasar payload
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables containing common artifacts observed in infostealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-