agenttesla | 8904d96a473dd52cd5255e046d47148eb27cc778395fff4f220bbb9509f643d8

Sharing

Copy URL

Twitter E-mail

General

Target

Release (1).rar
Size

2.1MB
Sample

240428-ac5tzabe55
MD5

d3efe853d6c513b2d6902725046b6ca5
SHA1

c35339b4153832e66876908933636e129f7a1a2c
SHA256

8904d96a473dd52cd5255e046d47148eb27cc778395fff4f220bbb9509f643d8
SHA512

b737ca1a9a89141bfec0c78384b794abc04b141ee5c67425a0f96b2bf44dcd20b40cd8193bc05b83d80f542e1aca99df82e1be5bf0c2c9f8f8f7a83326d537ec
SSDEEP

49152:LcfFNSDhMpeKfGO4xsJsDv+IVFH0xCf33auJ06cwPh2:WnoMrfGOpJsDv+UFHr/5S

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Office04

147.185.221.19:33587

Mutex

$Sxr-lG7PreqFKmNhJc0CKS

Attributes

encryption_key
11fnZjAdVB1EIQVhl7wn
install_name
DLLrunhost.exe
log_directory
UpdLogs
reconnect_delay
3000
startup_key
WindowsAudioHelper
subdirectory
Windows

Targets

- Target
  
  Release (1).rar
- Size
  
  2.1MB
- MD5
  
  d3efe853d6c513b2d6902725046b6ca5
- SHA1
  
  c35339b4153832e66876908933636e129f7a1a2c
- SHA256
  
  8904d96a473dd52cd5255e046d47148eb27cc778395fff4f220bbb9509f643d8
- SHA512
  
  b737ca1a9a89141bfec0c78384b794abc04b141ee5c67425a0f96b2bf44dcd20b40cd8193bc05b83d80f542e1aca99df82e1be5bf0c2c9f8f8f7a83326d537ec
- SSDEEP
  
  49152:LcfFNSDhMpeKfGO4xsJsDv+IVFH0xCf33auJ06cwPh2:WnoMrfGOpJsDv+UFHr/5S
Score

3^/10
behavioral1 behavioral2
- Target
  
  Guna.UI2.dll
- Size
  
  2.1MB
- MD5
  
  b429ae86c5be521bc8ca3b164cec3acb
- SHA1
  
  387560073ff5a1f2191abc6f75fc34532bbb6dd2
- SHA256
  
  3ac70532408b89159bfe235d4ed228faa03ae3fbd63ec6a82d895f287a3b0579
- SHA512
  
  eae65de53da50708983ed8ebf9e1e3dd5f9aea95a354d272e199bb59517f62bfe35f0df7a37d81ab0423d0d6d29304fa70284c731bd54023e446b2c19bacafb1
- SSDEEP
  
  24576:DgWuftU4WrNOA6sM6kXxMfNmnjk/c5NrH0UUoo2QkJXVSItH5ppoO0KzJ6nFwHQL:DA+NOpXm1mnj0cP+DkhMAiawnFV
Score

1^/10
behavioral3 behavioral4
- Target
  
  IDTOIPBYR_0.deps.json
- Size
  
  2KB
- MD5
  
  a894cb3d393263325741b472605a088e
- SHA1
  
  41b9c4ff3c761bb362457cb5225f136ca8a93beb
- SHA256
  
  56ab1b179ec0bafceca428c50b5a887c0708914e68c2c1e8c120811215890724
- SHA512
  
  c4169a125a0b3add6cbbce853229bfdad1cbc7fc2fd9580ec9851e42d91d12d8a729045623f934f19bcdf21ae23328d8516f1abfc29fc7530157712df6e2cbf6
Score

3^/10
behavioral5 behavioral6
- Target
  
  IDTOIPBYR_0.dll
- Size
  
  38KB
- MD5
  
  b653b660e1aca5529c24b1ee268b2829
- SHA1
  
  a05cbb401ab1648e1078f1a27286c5f7155d357f
- SHA256
  
  c924d7502dcf3af74739270218066f0431678e122fa35aefefdacc1edd2b1b0c
- SHA512
  
  9cee437b7524deabc31d9a219e77ef72cbc342563e6c34a0f2aa568b8b35a91cfe81c91fcd6ba085238664f374d200d6017e3e6fd8c5e0d0f751b802fc043e2f
- SSDEEP
  
  384:nLRF4OFc5Kjagmz2OpZkWX+lnjofGZTW65TRE0iA97aa9yN+JWhDCEjUoe0BFqCd:nLRFDTXOGZv5O0iW2awrUoDBFq3D0
Score

10^/10

quasar office04 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral7 behavioral8
- Target
  
  IDTOIPBYR_0.exe
- Size
  
  413KB
- MD5
  
  aabcedbac7ad8b10993f6de878be1ba4
- SHA1
  
  be8ea58edc1e83ebf33fe0e87a29916e9c554426
- SHA256
  
  4466cd4392c0fa3c49979664630db1b607e129c858fd44507cf5fc6b5b9dd3ba
- SHA512
  
  5a2bb094997699335a149ca353dc5e98e66482aa9dadc52502068337760bbd65bd648b3935777f4424e9811705657bcd2eb38254d731d892256d578c1f1eaf66
- SSDEEP
  
  6144:2gmEjkzQT1TVNSeE7E11zVeusnib8YoVHR8z0n7kgpMRqZGe:T1TVVXEo13eusHnVH9pMRWGe
Score

10^/10

quasar office04 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral10 behavioral9
- Target
  
  IDTOIPBYR_0.pdb
- Size
  
  17KB
- MD5
  
  eaade6e9725fad7772315e2b9d1e82aa
- SHA1
  
  bd643be28415cbfda78d9e9dc685cee28cbf3651
- SHA256
  
  664257f7eaea44c12ce83162d278a046cbdc743c21d68ceddb551f7ff7fa030f
- SHA512
  
  39fbdbb7e34a342695769816f3437eed4fe4d677322a878c561d159bf43f8fb6ed9e1625ccd2405c2e5d2a9234b9e3e3ed38fdeebd6f170543e538d2704d508c
- SSDEEP
  
  384:Df8jdHvTyslX+A60a09v2osS0HZtOGjBO7QUMbpBkPMg/cpX4rfH8f6Awb3LjBAv:SH7yTTOUeGbpBk0gEUBAv
Score

3^/10
behavioral11 behavioral12
- Target
  
  IDTOIPBYR_0.runtimeconfig.json
- Size
  
  458B
- MD5
  
  07b9a30265ca4e69c7016a1b6e3ffc27
- SHA1
  
  3a4af82a2695b1423aedd8b60a5c86793c011b02
- SHA256
  
  c71152bf25e40d647b2440c5b39be157a3d356106be9d5b678ab97bb87b4e782
- SHA512
  
  efd582f8edcdba5ef48d02eee5f73d83ff35071af99b49e08e0213928568d728d0856e3b903bfcccb9237f786846cf94da83139f99e9bee86287aff2071c3f1c
Score

3^/10
behavioral13 behavioral14
- Target
  
  System.Management.dll
- Size
  
  72KB
- MD5
  
  1c71e5310151ce1e9a3a92797776bdad
- SHA1
  
  fd452b874fec4a9dae61a3710fb32749dc7d701e
- SHA256
  
  f515ca5c944c332ab706ff0a7c2e53e66d0d9d8a663e9b2691b35129ee22559b
- SHA512
  
  2a4f18c77449c2d06a3ab6807338f73b03b1faa332e78319829ba3a2b6fd98bb9a83c5e29b47d55e4ce7f0dfdcd8524fa592a0f3ca8ee09daae2894b681265a8
- SSDEEP
  
  768:BrEP45HksbMU3se5c/0b/9nLZV1BCUkVoV0lP7H0CkkiSLJKdbY8Mtuo0eDQP9zu:bbz5wulNV1zkSQzHxkxS9yc8no0nzu
Score

1^/10
behavioral15 behavioral16

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Command and Scripting Interpreter

T1059

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Quasar RAT

Quasar payload

Drops file in Drivers directory

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Quasar RAT

Quasar payload

Drops file in Drivers directory

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16