Derin Analiz - QuasarRAT Stealer Modulu | Tehdit: YUKSEK
Dosya Kimligi
| SHA256 | 2e6fbd142bd5622d2415adbb479d091d322e2f28e91ddc20e3f8b59a26b42a73 |
|---|---|
| Boyut | 60,416 byte (59 KB) PE32 GUI x86 .NET |
| Entropi | 5.94 (normal) |
| Timestamp | GELECEK ZAMAN (gelecek tarih) - sandbox analiz kacisi! |
QuasarRAT Kaynagi Tespiti
QUASAR RAT: Quasar.Client.Recovery.FtpClients -> QuasarRAT musteri kurtarma modulu!
Quasar.Client.Recovery.FtpClients <- QuasarRAT FTP kurtarma modulu\n(QuasarRAT GitHub: github.com/quasar/QuasarRAT - acik kaynak RAT)\n\nBu ornek QuasarRAT'in credential recovery siniflarindan turetilmistir.
Hedef Programlar (Browser + FTP + VPN)
Tarayicilar:\n ChromePassReader -> Google Chrome Login Data\n EdgePassReader -> Microsoft Edge Login Data\n BravePassReader -> Brave Browser Login Data\n FirefoxPassReader -> Firefox signons.sqlite (PK11SDR_Decrypt)\n DecryptIePassword -> Internet Explorer\n YandexPassReader -> Yandex Browser Ya Passman Data\n\nFTP Client:\n FileZillaPassReader -> recentservers.xml, sitemanager.xml\n\nUzak Erisim:\n WinSCP -> SOFTWARE\Martin Prikryl\WinSCP 2\Sessions (registry)
Sifreli Kimlik Bilgisi Cozme
ChromiumDecryptor -> Chrome/Edge/Brave DPAPI sifre cozme\nDecryptAesGcm -> AES-GCM (yeni Chrome sifreleme)\nFFDecryptor -> Firefox NSS sifre cozme\nPk11sdrDecrypt -> Firefox PK11SDR_Decrypt NSS fonksiyonu\nCRYPT_VERIFYCONTEXT / ENCRYPTIONKEY / CryptHashData -> Windows DPAPI
Anti-Sandbox: Gelecek Tarih
TEKNIK: PE timestamp gelecek tarihte! Bazi sandbox'lar tarih kontrolu yapar.
IOC
| SHA256 | 2e6fbd142bd5622d2415adbb479d091d322e2f28e91ddc20e3f8b59a26b42a73 |
|---|---|
| Aile | QuasarRAT (Quasar.Client.Recovery.FtpClients) |
| Tarayici Hedefleri | Chrome, Edge, Brave, Firefox, IE, Yandex |
| FTP Hedefleri | FileZilla, WinSCP |
| Sifre Cozme | ChromiumDecryptor, FFDecryptor, PK11SDR_Decrypt, AES-GCM DPAPI |
| Anti-Sandbox | PE timestamp gelecek zaman |
QuasarStealer — Malware Profile
QuasarRAT tabanli credential stealer modulu. Chrome/Edge/Brave icin ChromiumDecryptor+DecryptAesGcm, Firefox icin FFDecryptor+PK11SDR_Decrypt, Yandex icin YandexPassReader kullanir. FileZilla ve WinSCP FTP istemci sifreleri de celir. PE timestamp gelecek tarihli (anti-sandbox teknik). QuasarRAT acik kaynak istemcisinden tureyiyor.
Malware Type
Infostealer
Programming Language
C#/.NET
C2 Protocol
HTTP
Target Systems
Kuresel
Capabilities & Behavior
Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı
IOC List (1 indicators)
IOC — QuasarStealer
# SHA256
2e6fbd142bd5622d2415adbb479d091d322e2f28e91ddc20e3f8b59a26b42a73
| Type | Value | Note |
|---|---|---|
| sha256 | 2e6fbd142bd5622d2415adbb479d091d322e2f28e91ddc20e3f8b59a26b42a73 |