0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x28d09d:$x1: Quasar.Common.Messages
- 0x29d3c6:$x1: Quasar.Common.Messages
- 0x2a9a4a:$x4: Uninstalling... good bye :-(
- 0x2ab23f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack | INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen | - 0x2a8ffc:$f1: FileZilla\recentservers.xml
- 0x2a903c:$f2: FileZilla\sitemanager.xml
- 0x2a907e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
- 0x2a92ca:$b1: Chrome\User Data\
- 0x2a9320:$b1: Chrome\User Data\
- 0x2a95f8:$b2: Mozilla\Firefox\Profiles
- 0x2a96f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2fb650:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2a984c:$b4: Opera Software\Opera Stable\Login Data
- 0x2a9906:$b5: YandexBrowser\User Data\
- 0x2a9974:$b5: YandexBrowser\User Data\
- 0x2a9648:$s4: logins.json
- 0x2a937e:$a1: username_value
- 0x2a939c:$a2: password_value
- 0x2a9688:$a3: encryptedUsername
- 0x2fb594:$a3: encryptedUsername
- 0x2a96ac:$a4: encryptedPassword
- 0x2fb5b2:$a4: encryptedPassword
- 0x2fb530:$a5: httpRealm
|
0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack | MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen | - 0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
- 0x2a9b34:$s3: Process already elevated.
- 0x28cd9c:$s4: get_PotentiallyVulnerablePasswords
- 0x276e58:$s5: GetKeyloggerLogsDirectory
- 0x29cb25:$s5: GetKeyloggerLogsDirectory
- 0x28cdbf:$s6: set_PotentiallyVulnerablePasswords
- 0x2fcc7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
|
19.2.KxgGGaiW3E.exe.20599dba870.1.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
19.2.KxgGGaiW3E.exe.20599dba870.1.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x28d09d:$x1: Quasar.Common.Messages
- 0x29d3c6:$x1: Quasar.Common.Messages
- 0x2a9a4a:$x4: Uninstalling... good bye :-(
- 0x2ab23f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
19.2.KxgGGaiW3E.exe.20599dba870.1.unpack | INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen | - 0x2a8ffc:$f1: FileZilla\recentservers.xml
- 0x2a903c:$f2: FileZilla\sitemanager.xml
- 0x2a907e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
- 0x2a92ca:$b1: Chrome\User Data\
- 0x2a9320:$b1: Chrome\User Data\
- 0x2a95f8:$b2: Mozilla\Firefox\Profiles
- 0x2a96f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2fb650:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2a984c:$b4: Opera Software\Opera Stable\Login Data
- 0x2a9906:$b5: YandexBrowser\User Data\
- 0x2a9974:$b5: YandexBrowser\User Data\
- 0x2a9648:$s4: logins.json
- 0x2a937e:$a1: username_value
- 0x2a939c:$a2: password_value
- 0x2a9688:$a3: encryptedUsername
- 0x2fb594:$a3: encryptedUsername
- 0x2a96ac:$a4: encryptedPassword
- 0x2fb5b2:$a4: encryptedPassword
- 0x2fb530:$a5: httpRealm
|
19.2.KxgGGaiW3E.exe.20599dba870.1.unpack | MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen | - 0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
- 0x2a9b34:$s3: Process already elevated.
- 0x28cd9c:$s4: get_PotentiallyVulnerablePasswords
- 0x276e58:$s5: GetKeyloggerLogsDirectory
- 0x29cb25:$s5: GetKeyloggerLogsDirectory
- 0x28cdbf:$s6: set_PotentiallyVulnerablePasswords
- 0x2fcc7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
|
13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x28d09d:$x1: Quasar.Common.Messages
- 0x29d3c6:$x1: Quasar.Common.Messages
- 0x2a9a4a:$x4: Uninstalling... good bye :-(
- 0x2ab23f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack | INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen | - 0x2a8ffc:$f1: FileZilla\recentservers.xml
- 0x2a903c:$f2: FileZilla\sitemanager.xml
- 0x2a907e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
- 0x2a92ca:$b1: Chrome\User Data\
- 0x2a9320:$b1: Chrome\User Data\
- 0x2a95f8:$b2: Mozilla\Firefox\Profiles
- 0x2a96f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2fb650:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2a984c:$b4: Opera Software\Opera Stable\Login Data
- 0x2a9906:$b5: YandexBrowser\User Data\
- 0x2a9974:$b5: YandexBrowser\User Data\
- 0x2a9648:$s4: logins.json
- 0x2a937e:$a1: username_value
- 0x2a939c:$a2: password_value
- 0x2a9688:$a3: encryptedUsername
- 0x2fb594:$a3: encryptedUsername
- 0x2a96ac:$a4: encryptedPassword
- 0x2fb5b2:$a4: encryptedPassword
- 0x2fb530:$a5: httpRealm
|
13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack | MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen | - 0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
- 0x2a9b34:$s3: Process already elevated.
- 0x28cd9c:$s4: get_PotentiallyVulnerablePasswords
- 0x276e58:$s5: GetKeyloggerLogsDirectory
- 0x29cb25:$s5: GetKeyloggerLogsDirectory
- 0x28cdbf:$s6: set_PotentiallyVulnerablePasswords
- 0x2fcc7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
|
13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x28d09d:$x1: Quasar.Common.Messages
- 0x29d3c6:$x1: Quasar.Common.Messages
- 0x2a9a4a:$x4: Uninstalling... good bye :-(
- 0x2ab23f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack | INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen | - 0x2a8ffc:$f1: FileZilla\recentservers.xml
- 0x2a903c:$f2: FileZilla\sitemanager.xml
- 0x2a907e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
- 0x2a92ca:$b1: Chrome\User Data\
- 0x2a9320:$b1: Chrome\User Data\
- 0x2a95f8:$b2: Mozilla\Firefox\Profiles
- 0x2a96f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2fb650:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2a984c:$b4: Opera Software\Opera Stable\Login Data
- 0x2a9906:$b5: YandexBrowser\User Data\
- 0x2a9974:$b5: YandexBrowser\User Data\
- 0x2a9648:$s4: logins.json
- 0x2a937e:$a1: username_value
- 0x2a939c:$a2: password_value
- 0x2a9688:$a3: encryptedUsername
- 0x2fb594:$a3: encryptedUsername
- 0x2a96ac:$a4: encryptedPassword
- 0x2fb5b2:$a4: encryptedPassword
- 0x2fb530:$a5: httpRealm
|
13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack | MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen | - 0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
- 0x2a9b34:$s3: Process already elevated.
- 0x28cd9c:$s4: get_PotentiallyVulnerablePasswords
- 0x276e58:$s5: GetKeyloggerLogsDirectory
- 0x29cb25:$s5: GetKeyloggerLogsDirectory
- 0x28cdbf:$s6: set_PotentiallyVulnerablePasswords
- 0x2fcc7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
|
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x28ee9d:$x1: Quasar.Common.Messages
- 0x29f1c6:$x1: Quasar.Common.Messages
- 0x2ab84a:$x4: Uninstalling... good bye :-(
- 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack | INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen | - 0x2aadfc:$f1: FileZilla\recentservers.xml
- 0x2aae3c:$f2: FileZilla\sitemanager.xml
- 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
- 0x2ab0ca:$b1: Chrome\User Data\
- 0x2ab120:$b1: Chrome\User Data\
- 0x2ab3f8:$b2: Mozilla\Firefox\Profiles
- 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data
- 0x2ab706:$b5: YandexBrowser\User Data\
- 0x2ab774:$b5: YandexBrowser\User Data\
- 0x2ab448:$s4: logins.json
- 0x2ab17e:$a1: username_value
- 0x2ab19c:$a2: password_value
- 0x2ab488:$a3: encryptedUsername
- 0x2fd394:$a3: encryptedUsername
- 0x2ab4ac:$a4: encryptedPassword
- 0x2fd3b2:$a4: encryptedPassword
- 0x2fd330:$a5: httpRealm
|
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack | MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen | - 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
- 0x2ab934:$s3: Process already elevated.
- 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
- 0x278c58:$s5: GetKeyloggerLogsDirectory
- 0x29e925:$s5: GetKeyloggerLogsDirectory
- 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
- 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
|
13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x28ee9d:$x1: Quasar.Common.Messages
- 0x29f1c6:$x1: Quasar.Common.Messages
- 0x2ab84a:$x4: Uninstalling... good bye :-(
- 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack | INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen | - 0x2aadfc:$f1: FileZilla\recentservers.xml
- 0x2aae3c:$f2: FileZilla\sitemanager.xml
- 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
- 0x2ab0ca:$b1: Chrome\User Data\
- 0x2ab120:$b1: Chrome\User Data\
- 0x2ab3f8:$b2: Mozilla\Firefox\Profiles
- 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data
- 0x2ab706:$b5: YandexBrowser\User Data\
- 0x2ab774:$b5: YandexBrowser\User Data\
- 0x2ab448:$s4: logins.json
- 0x2ab17e:$a1: username_value
- 0x2ab19c:$a2: password_value
- 0x2ab488:$a3: encryptedUsername
- 0x2fd394:$a3: encryptedUsername
- 0x2ab4ac:$a4: encryptedPassword
- 0x2fd3b2:$a4: encryptedPassword
- 0x2fd330:$a5: httpRealm
|
13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack | MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen | - 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
- 0x2ab934:$s3: Process already elevated.
- 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
- 0x278c58:$s5: GetKeyloggerLogsDirectory
- 0x29e925:$s5: GetKeyloggerLogsDirectory
- 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
- 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
|
18.2.svchost.exe.400000.0.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
18.2.svchost.exe.400000.0.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
18.2.svchost.exe.400000.0.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x28ee9d:$x1: Quasar.Common.Messages
- 0x29f1c6:$x1: Quasar.Common.Messages
- 0x2ab84a:$x4: Uninstalling... good bye :-(
- 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
18.2.svchost.exe.400000.0.unpack | INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen | - 0x2aadfc:$f1: FileZilla\recentservers.xml
- 0x2aae3c:$f2: FileZilla\sitemanager.xml
- 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
- 0x2ab0ca:$b1: Chrome\User Data\
- 0x2ab120:$b1: Chrome\User Data\
- 0x2ab3f8:$b2: Mozilla\Firefox\Profiles
- 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data
- 0x2ab706:$b5: YandexBrowser\User Data\
- 0x2ab774:$b5: YandexBrowser\User Data\
- 0x2ab448:$s4: logins.json
- 0x2ab17e:$a1: username_value
- 0x2ab19c:$a2: password_value
- 0x2ab488:$a3: encryptedUsername
- 0x2fd394:$a3: encryptedUsername
- 0x2ab4ac:$a4: encryptedPassword
- 0x2fd3b2:$a4: encryptedPassword
- 0x2fd330:$a5: httpRealm
|
18.2.svchost.exe.400000.0.unpack | MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen | - 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
- 0x2ab934:$s3: Process already elevated.
- 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
- 0x278c58:$s5: GetKeyloggerLogsDirectory
- 0x29e925:$s5: GetKeyloggerLogsDirectory
- 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
- 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
|
29.2.wmplayer.exe.400000.0.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
29.2.wmplayer.exe.400000.0.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
29.2.wmplayer.exe.400000.0.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x28ee9d:$x1: Quasar.Common.Messages
- 0x29f1c6:$x1: Quasar.Common.Messages
- 0x2ab84a:$x4: Uninstalling... good bye :-(
- 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
29.2.wmplayer.exe.400000.0.unpack | INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen | - 0x2aadfc:$f1: FileZilla\recentservers.xml
- 0x2aae3c:$f2: FileZilla\sitemanager.xml
- 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
- 0x2ab0ca:$b1: Chrome\User Data\
- 0x2ab120:$b1: Chrome\User Data\
- 0x2ab3f8:$b2: Mozilla\Firefox\Profiles
- 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data
- 0x2ab706:$b5: YandexBrowser\User Data\
- 0x2ab774:$b5: YandexBrowser\User Data\
- 0x2ab448:$s4: logins.json
- 0x2ab17e:$a1: username_value
- 0x2ab19c:$a2: password_value
- 0x2ab488:$a3: encryptedUsername
- 0x2fd394:$a3: encryptedUsername
- 0x2ab4ac:$a4: encryptedPassword
- 0x2fd3b2:$a4: encryptedPassword
- 0x2fd330:$a5: httpRealm
|
29.2.wmplayer.exe.400000.0.unpack | MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen | - 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
- 0x2ab934:$s3: Process already elevated.
- 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
- 0x278c58:$s5: GetKeyloggerLogsDirectory
- 0x29e925:$s5: GetKeyloggerLogsDirectory
- 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
- 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
|
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x28d09d:$x1: Quasar.Common.Messages
- 0x29d3c6:$x1: Quasar.Common.Messages
- 0x2a9a4a:$x4: Uninstalling... good bye :-(
- 0x2ab23f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack | INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen | - 0x2a8ffc:$f1: FileZilla\recentservers.xml
- 0x2a903c:$f2: FileZilla\sitemanager.xml
- 0x2a907e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
- 0x2a92ca:$b1: Chrome\User Data\
- 0x2a9320:$b1: Chrome\User Data\
- 0x2a95f8:$b2: Mozilla\Firefox\Profiles
- 0x2a96f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2fb650:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2a984c:$b4: Opera Software\Opera Stable\Login Data
- 0x2a9906:$b5: YandexBrowser\User Data\
- 0x2a9974:$b5: YandexBrowser\User Data\
- 0x2a9648:$s4: logins.json
- 0x2a937e:$a1: username_value
- 0x2a939c:$a2: password_value
- 0x2a9688:$a3: encryptedUsername
- 0x2fb594:$a3: encryptedUsername
- 0x2a96ac:$a4: encryptedPassword
- 0x2fb5b2:$a4: encryptedPassword
- 0x2fb530:$a5: httpRealm
|
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack | MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen | - 0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
- 0x2a9b34:$s3: Process already elevated.
- 0x28cd9c:$s4: get_PotentiallyVulnerablePasswords
- 0x276e58:$s5: GetKeyloggerLogsDirectory
- 0x29cb25:$s5: GetKeyloggerLogsDirectory
- 0x28cdbf:$s6: set_PotentiallyVulnerablePasswords
- 0x2fcc7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
|
19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x28ee9d:$x1: Quasar.Common.Messages
- 0x29f1c6:$x1: Quasar.Common.Messages
- 0x2ab84a:$x4: Uninstalling... good bye :-(
- 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack | INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen | - 0x2aadfc:$f1: FileZilla\recentservers.xml
- 0x2aae3c:$f2: FileZilla\sitemanager.xml
- 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
- 0x2ab0ca:$b1: Chrome\User Data\
- 0x2ab120:$b1: Chrome\User Data\
- 0x2ab3f8:$b2: Mozilla\Firefox\Profiles
- 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data
- 0x2ab706:$b5: YandexBrowser\User Data\
- 0x2ab774:$b5: YandexBrowser\User Data\
- 0x2ab448:$s4: logins.json
- 0x2ab17e:$a1: username_value
- 0x2ab19c:$a2: password_value
- 0x2ab488:$a3: encryptedUsername
- 0x2fd394:$a3: encryptedUsername
- 0x2ab4ac:$a4: encryptedPassword
- 0x2fd3b2:$a4: encryptedPassword
- 0x2fd330:$a5: httpRealm
|
19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack | MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen | - 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
- 0x2ab934:$s3: Process already elevated.
- 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
- 0x278c58:$s5: GetKeyloggerLogsDirectory
- 0x29e925:$s5: GetKeyloggerLogsDirectory
- 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
- 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
|
19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x28d09d:$x1: Quasar.Common.Messages
- 0x29d3c6:$x1: Quasar.Common.Messages
- 0x2a9a4a:$x4: Uninstalling... good bye :-(
- 0x2ab23f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack | INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen | - 0x2a8ffc:$f1: FileZilla\recentservers.xml
- 0x2a903c:$f2: FileZilla\sitemanager.xml
- 0x2a907e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
- 0x2a92ca:$b1: Chrome\User Data\
- 0x2a9320:$b1: Chrome\User Data\
- 0x2a95f8:$b2: Mozilla\Firefox\Profiles
- 0x2a96f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2fb650:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2a984c:$b4: Opera Software\Opera Stable\Login Data
- 0x2a9906:$b5: YandexBrowser\User Data\
- 0x2a9974:$b5: YandexBrowser\User Data\
- 0x2a9648:$s4: logins.json
- 0x2a937e:$a1: username_value
- 0x2a939c:$a2: password_value
- 0x2a9688:$a3: encryptedUsername
- 0x2fb594:$a3: encryptedUsername
- 0x2a96ac:$a4: encryptedPassword
- 0x2fb5b2:$a4: encryptedPassword
- 0x2fb530:$a5: httpRealm
|
19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack | MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen | - 0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
- 0x2a9b34:$s3: Process already elevated.
- 0x28cd9c:$s4: get_PotentiallyVulnerablePasswords
- 0x276e58:$s5: GetKeyloggerLogsDirectory
- 0x29cb25:$s5: GetKeyloggerLogsDirectory
- 0x28cdbf:$s6: set_PotentiallyVulnerablePasswords
- 0x2fcc7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
|
5.2.ngen.exe.400000.0.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
5.2.ngen.exe.400000.0.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
5.2.ngen.exe.400000.0.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x28ee9d:$x1: Quasar.Common.Messages
- 0x29f1c6:$x1: Quasar.Common.Messages
- 0x2ab84a:$x4: Uninstalling... good bye :-(
- 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
5.2.ngen.exe.400000.0.unpack | INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen | - 0x2aadfc:$f1: FileZilla\recentservers.xml
- 0x2aae3c:$f2: FileZilla\sitemanager.xml
- 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
- 0x2ab0ca:$b1: Chrome\User Data\
- 0x2ab120:$b1: Chrome\User Data\
- 0x2ab3f8:$b2: Mozilla\Firefox\Profiles
- 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data
- 0x2ab706:$b5: YandexBrowser\User Data\
- 0x2ab774:$b5: YandexBrowser\User Data\
- 0x2ab448:$s4: logins.json
- 0x2ab17e:$a1: username_value
- 0x2ab19c:$a2: password_value
- 0x2ab488:$a3: encryptedUsername
- 0x2fd394:$a3: encryptedUsername
- 0x2ab4ac:$a4: encryptedPassword
- 0x2fd3b2:$a4: encryptedPassword
- 0x2fd330:$a5: httpRealm
|
5.2.ngen.exe.400000.0.unpack | MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen | - 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
- 0x2ab934:$s3: Process already elevated.
- 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
- 0x278c58:$s5: GetKeyloggerLogsDirectory
- 0x29e925:$s5: GetKeyloggerLogsDirectory
- 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
- 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
|
0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x28ee9d:$x1: Quasar.Common.Messages
- 0x29f1c6:$x1: Quasar.Common.Messages
- 0x2ab84a:$x4: Uninstalling... good bye :-(
- 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack | INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen | - 0x2aadfc:$f1: FileZilla\recentservers.xml
- 0x2aae3c:$f2: FileZilla\sitemanager.xml
- 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
- 0x2ab0ca:$b1: Chrome\User Data\
- 0x2ab120:$b1: Chrome\User Data\
- 0x2ab3f8:$b2: Mozilla\Firefox\Profiles
- 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data
- 0x2ab706:$b5: YandexBrowser\User Data\
- 0x2ab774:$b5: YandexBrowser\User Data\
- 0x2ab448:$s4: logins.json
- 0x2ab17e:$a1: username_value
- 0x2ab19c:$a2: password_value
- 0x2ab488:$a3: encryptedUsername
- 0x2fd394:$a3: encryptedUsername
- 0x2ab4ac:$a4: encryptedPassword
- 0x2fd3b2:$a4: encryptedPassword
- 0x2fd330:$a5: httpRealm
|
0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack | MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen | - 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
- 0x2ab934:$s3: Process already elevated.
- 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
- 0x278c58:$s5: GetKeyloggerLogsDirectory
- 0x29e925:$s5: GetKeyloggerLogsDirectory
- 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
- 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
|
19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x28ee9d:$x1: Quasar.Common.Messages
- 0x29f1c6:$x1: Quasar.Common.Messages
- 0x2ab84a:$x4: Uninstalling... good bye :-(
- 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack | INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen | - 0x2aadfc:$f1: FileZilla\recentservers.xml
- 0x2aae3c:$f2: FileZilla\sitemanager.xml
- 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
- 0x2ab0ca:$b1: Chrome\User Data\
- 0x2ab120:$b1: Chrome\User Data\
- 0x2ab3f8:$b2: Mozilla\Firefox\Profiles
- 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data
- 0x2ab706:$b5: YandexBrowser\User Data\
- 0x2ab774:$b5: YandexBrowser\User Data\
- 0x2ab448:$s4: logins.json
- 0x2ab17e:$a1: username_value
- 0x2ab19c:$a2: password_value
- 0x2ab488:$a3: encryptedUsername
- 0x2fd394:$a3: encryptedUsername
- 0x2ab4ac:$a4: encryptedPassword
- 0x2fd3b2:$a4: encryptedPassword
- 0x2fd330:$a5: httpRealm
|
19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack | MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen | - 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
- 0x2ab934:$s3: Process already elevated.
- 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
- 0x278c58:$s5: GetKeyloggerLogsDirectory
- 0x29e925:$s5: GetKeyloggerLogsDirectory
- 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
- 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
|
13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack | JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | |
13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack | MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth | - 0x28ee9d:$x1: Quasar.Common.Messages
- 0x29f1c6:$x1: Quasar.Common.Messages
- 0x2ab84a:$x4: Uninstalling... good bye :-(
- 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
|
13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack | INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen | - 0x2aadfc:$f1: FileZilla\recentservers.xml
- 0x2aae3c:$f2: FileZilla\sitemanager.xml
- 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
- 0x2ab0ca:$b1: Chrome\User Data\
- 0x2ab120:$b1: Chrome\User Data\
- 0x2ab3f8:$b2: Mozilla\Firefox\Profiles
- 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data
- 0x2ab706:$b5: YandexBrowser\User Data\
- 0x2ab774:$b5: YandexBrowser\User Data\
- 0x2ab448:$s4: logins.json
- 0x2ab17e:$a1: username_value
- 0x2ab19c:$a2: password_value
- 0x2ab488:$a3: encryptedUsername
- 0x2fd394:$a3: encryptedUsername
- 0x2ab4ac:$a4: encryptedPassword
- 0x2fd3b2:$a4: encryptedPassword
- 0x2fd330:$a5: httpRealm
|
13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack | MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen | - 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
- 0x2ab934:$s3: Process already elevated.
- 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords
- 0x278c58:$s5: GetKeyloggerLogsDirectory
- 0x29e925:$s5: GetKeyloggerLogsDirectory
- 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords
- 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
|
Click to see the 64 entries |