Introduction Quasar is a publicly-available Remote Access Tool (RAT) for Windows hosts. Here is a link to the Github page for Quasar RAT. This RAT is occasionally distributed as malware through malicious spam (malspam). On Tuesday 2019-09-24 I found malspam with malware based on Quasar RAT. Today's diary reviews the infection activity. The email
Infection traffic
Post-infection forensics
Indicators of Compromise (IOCs) The following infection traffic was seen on my infected lab host:
The following items are malware associated with this infection: SHA256 hash: abc980ebd2463ff522ff090914cc21d02915f643f385ee0ea0af23d51a18e47f
SHA256 hash: edcbbb59405b2bb97269ed5db32a15b57154221adb9504ff828ee367953cccc1
SHA256 hash: 065ac3f23800921135b1794706aca86ab59c94ab463c5c17a4d3535bf9aab828
SHA256 hash: 389863b056fa0c3d4ebf130103445bc56769824f1e6cecea9c950744b80752b0
Final words The email, a pcap of the infection traffic, and the associated malware is available here. Brad Duncan |
Brad 435 Posts ISC Handler Sep 25th 2019 |
Thread locked Subscribe |
Sep 25th 2019 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!