General

  • Target

    d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4

  • Size

    141KB

  • Sample

    220504-a63xgafdfj

  • MD5

    4d28365c5342f773b394205ef9eaec69

  • SHA1

    d6e066005bb5b69d5dbc5088f214012a7ab8b080

  • SHA256

    d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4

  • SHA512

    b3c4df7e68555ad04204ea798fe737ea2bc9d63400e81d02f7fdfe1b4c7e45a19436d7d3c51f355d2a1306eae1bd0912155760067e6d57b62cf98c519b70ef3e

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

1

C2

dlldns.duckdns.org:20000

whoru222.xyz:20000

whereami3.xyz:20000

letmerat.xyz:20000

selfdestructdns.xyz:20000

wtfimrich666.xyz:20000

p2x4y.xyz:21000

howmanytimes3.xyz:21000

ceeloblack.xyz:21000

thanksfam.xyz:21000

Mutex

2e3c0776-66f3-4050-b059-b831e335e235

Attributes
  • encryption_key

    67DFA5AFA3111DA4B8B545C503A131C3C3D1E34C

  • install_name

    WinUpdater.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    WinUpdater

  • subdirectory

    WinUpdater

Targets

    • Target

      d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4

    • Size

      141KB

    • MD5

      4d28365c5342f773b394205ef9eaec69

    • SHA1

      d6e066005bb5b69d5dbc5088f214012a7ab8b080

    • SHA256

      d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4

    • SHA512

      b3c4df7e68555ad04204ea798fe737ea2bc9d63400e81d02f7fdfe1b4c7e45a19436d7d3c51f355d2a1306eae1bd0912155760067e6d57b62cf98c519b70ef3e

    • Modifies visiblity of hidden/system files in Explorer

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Hidden Files and Directories

1
T1158

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Hidden Files and Directories

1
T1158

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks