General

  • Target

    tmp

  • Size

    542KB

  • Sample

    221017-e6te9aaggj

  • MD5

    186564601c2f222119117fb148add063

  • SHA1

    3e18d54d5a459dfe2348d42a7ab9d0fa80ab79b4

  • SHA256

    9d2d44a8cb4c44032550715e8598ae5a3254ee60e6ff95e4deb2d7c957419890

  • SHA512

    3fa611f004c358596bcd361baffba12f405035430caebc13f88a3a67f2952144ceabd139fca9f35afbb8d21563108a0131f62b1675c911b36a952e47cf1187d6

  • SSDEEP

    6144:k9gebGbXOsA6j1RdheM+DvdggmcvNY2GIKSLcEu0b8FSBp9rhMOkrcTR3A1TEgdA:3A623gWLefCfXkrcdA1TEgdfYf

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

2022

C2

gh0008888.ddns.net:2888

wc-ltc.ddns.net:2888

Mutex

8eaef1fe-37f7-4e61-a64a-362606e0ef72

Attributes
  • encryption_key

    4BF9DE9DE710A8249A32AFF5A8A36A68EB5C6E1A

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    C:\Windows\Fonts\system

Targets

    • Target

      tmp

    • Size

      542KB

    • MD5

      186564601c2f222119117fb148add063

    • SHA1

      3e18d54d5a459dfe2348d42a7ab9d0fa80ab79b4

    • SHA256

      9d2d44a8cb4c44032550715e8598ae5a3254ee60e6ff95e4deb2d7c957419890

    • SHA512

      3fa611f004c358596bcd361baffba12f405035430caebc13f88a3a67f2952144ceabd139fca9f35afbb8d21563108a0131f62b1675c911b36a952e47cf1187d6

    • SSDEEP

      6144:k9gebGbXOsA6j1RdheM+DvdggmcvNY2GIKSLcEu0b8FSBp9rhMOkrcTR3A1TEgdA:3A623gWLefCfXkrcdA1TEgdfYf

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v6

Tasks