Derin Analiz - QuasarRAT Stealer Modulu | Tehdit: YUKSEK

Dosya Kimligi

SHA2562e6fbd142bd5622d2415adbb479d091d322e2f28e91ddc20e3f8b59a26b42a73
Boyut60,416 byte (59 KB) PE32 GUI x86 .NET
Entropi5.94 (normal)
TimestampGELECEK ZAMAN (gelecek tarih) - sandbox analiz kacisi!

QuasarRAT Kaynagi Tespiti

QUASAR RAT: Quasar.Client.Recovery.FtpClients -> QuasarRAT musteri kurtarma modulu!
Quasar.Client.Recovery.FtpClients   <- QuasarRAT FTP kurtarma modulu\n(QuasarRAT GitHub: github.com/quasar/QuasarRAT - acik kaynak RAT)\n\nBu ornek QuasarRAT'in credential recovery siniflarindan turetilmistir.

Hedef Programlar (Browser + FTP + VPN)

Tarayicilar:\n  ChromePassReader   -> Google Chrome Login Data\n  EdgePassReader     -> Microsoft Edge Login Data\n  BravePassReader    -> Brave Browser Login Data\n  FirefoxPassReader  -> Firefox signons.sqlite (PK11SDR_Decrypt)\n  DecryptIePassword  -> Internet Explorer\n  YandexPassReader   -> Yandex Browser Ya Passman Data\n\nFTP Client:\n  FileZillaPassReader -> recentservers.xml, sitemanager.xml\n\nUzak Erisim:\n  WinSCP  -> SOFTWARE\Martin Prikryl\WinSCP 2\Sessions (registry)

Sifreli Kimlik Bilgisi Cozme

ChromiumDecryptor  -> Chrome/Edge/Brave DPAPI sifre cozme\nDecryptAesGcm      -> AES-GCM (yeni Chrome sifreleme)\nFFDecryptor        -> Firefox NSS sifre cozme\nPk11sdrDecrypt     -> Firefox PK11SDR_Decrypt NSS fonksiyonu\nCRYPT_VERIFYCONTEXT / ENCRYPTIONKEY / CryptHashData -> Windows DPAPI

Anti-Sandbox: Gelecek Tarih

TEKNIK: PE timestamp gelecek tarihte! Bazi sandbox'lar tarih kontrolu yapar.

IOC

SHA2562e6fbd142bd5622d2415adbb479d091d322e2f28e91ddc20e3f8b59a26b42a73
AileQuasarRAT (Quasar.Client.Recovery.FtpClients)
Tarayici HedefleriChrome, Edge, Brave, Firefox, IE, Yandex
FTP HedefleriFileZilla, WinSCP
Sifre CozmeChromiumDecryptor, FFDecryptor, PK11SDR_Decrypt, AES-GCM DPAPI
Anti-SandboxPE timestamp gelecek zaman

QuasarStealer — Malware Profile

QuasarRAT tabanli credential stealer modulu. Chrome/Edge/Brave icin ChromiumDecryptor+DecryptAesGcm, Firefox icin FFDecryptor+PK11SDR_Decrypt, Yandex icin YandexPassReader kullanir. FileZilla ve WinSCP FTP istemci sifreleri de celir. PE timestamp gelecek tarihli (anti-sandbox teknik). QuasarRAT acik kaynak istemcisinden tureyiyor.

Malware Type
Infostealer
Programming Language
C#/.NET
C2 Protocol
HTTP
Target Systems
Kuresel

Capabilities & Behavior

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

IOC List (1 indicators)

IOC — QuasarStealer
# SHA256 2e6fbd142bd5622d2415adbb479d091d322e2f28e91ddc20e3f8b59a26b42a73
TypeValueNote
sha256 2e6fbd142bd5622d2415adbb479d091d322e2f28e91ddc20e3f8b59a26b42a73
Tags
quasar-rat-client-recovery-modulechromiumdecryptor-chrome-edge-bravefirefoxdecryptor-pk11sdr-decryptyandex-browser-ya-passman-stealerfilezilla-recentservers-sitemanagerwinscp-registry-session-stealerdecryptaesgcm-modern-chrome-aes-gcmfuture-timestamp-anti-sandboxdpapi-crypt-verifycontextedge-brave-chrome-login-dataquasar-ftp-client-recoveryinternet-explorer-password-decrypt