General
-
Target
dabaf8f6f0a1c62aea91871b215fe93c.exe
-
Size
524KB
-
Sample
240701-h3sw4aygja
-
MD5
dabaf8f6f0a1c62aea91871b215fe93c
-
SHA1
7a1e1d9981e64379b6ad2517f3705180aa45c5c5
-
SHA256
49d3a6363261b6915cf925e115234347ea4d4bb1bfe603a52a58d764eb266f87
-
SHA512
d509c13f5b28ca1c2d1ec0e57f9d0bb0c31f08ede421f9b57f4a7cb08a782ebf97f4ef0f38e7b36c9747b3f607302a5b5d9ddc8a30d625e7e6f09dc2a5e24c6b
-
SSDEEP
6144:RswAitwXUqtyzlKJCCzq1GzzjQ6NWiOhODiPw532k1c3u5WM+ix/WJpBvCIvyNVp:RJ4y5KJIMznOTPwtdIYbfSBvqN
Malware Config
Extracted
quasar
1.4.0.0
Office04
194.26.192.92:4782
xmarvel.ddns.net:4782
1D5hAYqKMWDHFxCpFw
-
encryption_key
GqEm1Kfv49pa27CfDSc9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
dabaf8f6f0a1c62aea91871b215fe93c.exe
-
Size
524KB
-
MD5
dabaf8f6f0a1c62aea91871b215fe93c
-
SHA1
7a1e1d9981e64379b6ad2517f3705180aa45c5c5
-
SHA256
49d3a6363261b6915cf925e115234347ea4d4bb1bfe603a52a58d764eb266f87
-
SHA512
d509c13f5b28ca1c2d1ec0e57f9d0bb0c31f08ede421f9b57f4a7cb08a782ebf97f4ef0f38e7b36c9747b3f607302a5b5d9ddc8a30d625e7e6f09dc2a5e24c6b
-
SSDEEP
6144:RswAitwXUqtyzlKJCCzq1GzzjQ6NWiOhODiPw532k1c3u5WM+ix/WJpBvCIvyNVp:RJ4y5KJIMznOTPwtdIYbfSBvqN
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-