General

  • Target

    e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

  • Size

    411KB

  • Sample

    220524-s9e9pacbfq

  • MD5

    2adea70fccf261c8c99d87be94dff75b

  • SHA1

    ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

  • SHA256

    e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

  • SHA512

    286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

BoT

C2

deepfred420.ddns.net:9064

Mutex

GonbH7yXnux3KU6CkF

Attributes
  • encryption_key

    ctcKPuPY3bRDHuYmzlto

  • install_name

    Explorer.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Explorer

  • subdirectory

    WServices

Targets

    • Target

      e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

    • Size

      411KB

    • MD5

      2adea70fccf261c8c99d87be94dff75b

    • SHA1

      ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

    • SHA256

      e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

    • SHA512

      286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata: ET MALWARE Common RAT Connectivity Check Observed

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Replication Through Removable Media

1
T1091

Tasks