General

  • Target

    0a122731e6e699c540c78754df8e3424f648a462b7ecf2e86c970faa81d24c1f

  • Size

    1.7MB

  • Sample

    230129-r7qf7sbe68

  • MD5

    4ef8fbb16a16b76bc9700607ec6c4c21

  • SHA1

    7239208f8303c425034fb9dc2e72c97a1ebd1690

  • SHA256

    0a122731e6e699c540c78754df8e3424f648a462b7ecf2e86c970faa81d24c1f

  • SHA512

    354650516c0a6bbb0225d9ca7fd51fcc7b00ea3cae165c1a94257eb1a92edb7f7d549050ce03337c5eccf266f65d39c3c91d73c6a216511c2777a509953114f3

  • SSDEEP

    24576:J3la0TCZvSxjesdqxX7TySb3m8d4c5S3pHlWtr+DAJHGIxVkiLaoKUNtXa64F7:BGZvgtE5TDm8d4c2HlWsDyHtSoKSC

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

useittoday.ddns.net:7777

Mutex

e5ef083e-30c5-4583-b64d-761bdbc25eab

Attributes
  • encryption_key

    3A888BF4CE1BF01F1EE6502467C30202D4F3D1EC

  • install_name

    chrome.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Google Chrome

  • subdirectory

    SubDir

Targets

    • Target

      0a122731e6e699c540c78754df8e3424f648a462b7ecf2e86c970faa81d24c1f

    • Size

      1.7MB

    • MD5

      4ef8fbb16a16b76bc9700607ec6c4c21

    • SHA1

      7239208f8303c425034fb9dc2e72c97a1ebd1690

    • SHA256

      0a122731e6e699c540c78754df8e3424f648a462b7ecf2e86c970faa81d24c1f

    • SHA512

      354650516c0a6bbb0225d9ca7fd51fcc7b00ea3cae165c1a94257eb1a92edb7f7d549050ce03337c5eccf266f65d39c3c91d73c6a216511c2777a509953114f3

    • SSDEEP

      24576:J3la0TCZvSxjesdqxX7TySb3m8d4c5S3pHlWtr+DAJHGIxVkiLaoKUNtXa64F7:BGZvgtE5TDm8d4c2HlWsDyHtSoKSC

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks