General

  • Target

    cc2d0c3397041334b027bc4390544c06b1393732837b6e8ccc15569abadad5fc

  • Size

    1.3MB

  • Sample

    230129-r7lg9abe66

  • MD5

    3991c789ed9ca51b56a2d87ade48cb35

  • SHA1

    9ebeda70da12328ed412cb105861e06210b64b14

  • SHA256

    cc2d0c3397041334b027bc4390544c06b1393732837b6e8ccc15569abadad5fc

  • SHA512

    f117241d7f8993a182aece7ccaf8753bb33a4b206c5f5d72b2d140778b2e5a02cca409e2eabc0ab3bf96c7bc85309bfe1c5a691dc7a63edd4fb7a0b94fce822c

  • SSDEEP

    12288:r6NSgL0KFOdisSPDeAS7pmcApQpQCtWV1fFxxO3XU3/KnJPOjTt1N70FeNP6Dj:WWK6ilM7TApQqVFCU3/KJ6rNGeNP6D

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

51.83.153.85:5000

Mutex

QSR_MUTEX_5uMaV9gOc4CzQqg9F2

Attributes
  • encryption_key

    tArX63HaWQRmB3XpAuu1

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      cc2d0c3397041334b027bc4390544c06b1393732837b6e8ccc15569abadad5fc

    • Size

      1.3MB

    • MD5

      3991c789ed9ca51b56a2d87ade48cb35

    • SHA1

      9ebeda70da12328ed412cb105861e06210b64b14

    • SHA256

      cc2d0c3397041334b027bc4390544c06b1393732837b6e8ccc15569abadad5fc

    • SHA512

      f117241d7f8993a182aece7ccaf8753bb33a4b206c5f5d72b2d140778b2e5a02cca409e2eabc0ab3bf96c7bc85309bfe1c5a691dc7a63edd4fb7a0b94fce822c

    • SSDEEP

      12288:r6NSgL0KFOdisSPDeAS7pmcApQpQCtWV1fFxxO3XU3/KnJPOjTt1N70FeNP6Dj:WWK6ilM7TApQqVFCU3/KJ6rNGeNP6D

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks