Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    53b736e0f18bb8d3026c5a0ff66843ed927120ec55e4a099c0b411214e6cbd88

  • Size

    1.7MB

  • Sample

    221123-17ffnshb24

  • MD5

    27973761305381b8a1888fa5fba466c0

  • SHA1

    8c3d7fcec5e2bf468edf04de4640e8b5b0cbb160

  • SHA256

    53b736e0f18bb8d3026c5a0ff66843ed927120ec55e4a099c0b411214e6cbd88

  • SHA512

    e38a991050d49668135466af5f885f0623614b13cfd26c20926fa7e164271de9a6ec60e9ac6022e07351f8d42aeb25be914e7de2887eeca24953c8c94f7d68de

  • SSDEEP

    24576:PUxJIRCRoenYQb6VOJ8Kgn1beVuumyEU:

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Cio

C2

162.19.131.197:4782

Mutex

c5fdf017-8f44-47ea-a69e-0b82e4044ca7

Attributes
  • encryption_key

    59A92039F951E5069C9F50FD9F340E759713B058

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      53b736e0f18bb8d3026c5a0ff66843ed927120ec55e4a099c0b411214e6cbd88

    • Size

      1.7MB

    • MD5

      27973761305381b8a1888fa5fba466c0

    • SHA1

      8c3d7fcec5e2bf468edf04de4640e8b5b0cbb160

    • SHA256

      53b736e0f18bb8d3026c5a0ff66843ed927120ec55e4a099c0b411214e6cbd88

    • SHA512

      e38a991050d49668135466af5f885f0623614b13cfd26c20926fa7e164271de9a6ec60e9ac6022e07351f8d42aeb25be914e7de2887eeca24953c8c94f7d68de

    • SSDEEP

      24576:PUxJIRCRoenYQb6VOJ8Kgn1beVuumyEU:

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks