Overview

overview

10

Static

static

8

f09f54a8c6...da.xls

windows7-x64

1

f09f54a8c6...da.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f09f54a8c694a8b026051b90fd0f92040d952b75446af726de55522ef1e13dda.xls

  • Size

    140KB

  • Sample

    221203-c9gvhsgg37

  • MD5

    784c8beac43a6f6de17a8f05299d528f

  • SHA1

    636573702a1feec449e3e13e1366221e1baff96d

  • SHA256

    f09f54a8c694a8b026051b90fd0f92040d952b75446af726de55522ef1e13dda

  • SHA512

    af399f746e803c9f709a99c0430a8c7faca696fb59fbfde53f12e386fb9f116f8175b61835d86ed02bac26c535a903e88b4cb9add91ed6cedb9a5f8fad030de4

  • SSDEEP

    3072:HrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAIWpnUXB7pqkCkGSjrU91z+M/7OmGie:LxEtjPOtioVjDGUU1qfDlavx+W2QnA1d

Score
10/10
quasarvoopmacromacro_on_actionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

voop

C2

dnuocc.com:64594

www.dnuocc.com:64594
Mutex

QSR_MUTEX_jVITO6bRbVmJHVOAi1

Attributes
  • encryption_key

    3yswT16VMWc6VjRIJeXD

  • install_name

    vcv.exe

  • log_directory

    Logs

  • reconnect_delay

    30000

  • startup_key

    vcr

  • subdirectory

    vcv

Targets

    • Target

      f09f54a8c694a8b026051b90fd0f92040d952b75446af726de55522ef1e13dda.xls

    • Size

      140KB

    • MD5

      784c8beac43a6f6de17a8f05299d528f

    • SHA1

      636573702a1feec449e3e13e1366221e1baff96d

    • SHA256

      f09f54a8c694a8b026051b90fd0f92040d952b75446af726de55522ef1e13dda

    • SHA512

      af399f746e803c9f709a99c0430a8c7faca696fb59fbfde53f12e386fb9f116f8175b61835d86ed02bac26c535a903e88b4cb9add91ed6cedb9a5f8fad030de4

    • SSDEEP

      3072:HrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAIWpnUXB7pqkCkGSjrU91z+M/7OmGie:LxEtjPOtioVjDGUU1qfDlavx+W2QnA1d

    Score
    10/10
    quasarvoopspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks