General

  • Target

    aee53c247ee210c7a3189b41d117c71f0b962f49da436bf2c57e9934316e6070

  • Size

    16.1MB

  • Sample

    230129-wtqx2aaa2x

  • MD5

    e8e93631767c8b5b5a4afcef0fbd93e0

  • SHA1

    02baffbc04e9ca472288c13111134cebd478e5e7

  • SHA256

    aee53c247ee210c7a3189b41d117c71f0b962f49da436bf2c57e9934316e6070

  • SHA512

    cce3d2ea73b611118b8b18ab51771c386b6bbef159aeea04b183c04727bbb8658a151ed879a89c479bf2fdde32023235fae9802f6e1ecd9b98c2048230150360

  • SSDEEP

    196608:U+b8ve9Ab5jb55ix+eew2dS4+ipkAipckp:U48ve9w0ewK/dup/p

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

185.174.172.24:222

Mutex

QSR_MUTEX_l4Q4az83wPO98KUwCA

Attributes
  • encryption_key

    rJLmSNNfkwxt1O20iBU6

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      aee53c247ee210c7a3189b41d117c71f0b962f49da436bf2c57e9934316e6070

    • Size

      16.1MB

    • MD5

      e8e93631767c8b5b5a4afcef0fbd93e0

    • SHA1

      02baffbc04e9ca472288c13111134cebd478e5e7

    • SHA256

      aee53c247ee210c7a3189b41d117c71f0b962f49da436bf2c57e9934316e6070

    • SHA512

      cce3d2ea73b611118b8b18ab51771c386b6bbef159aeea04b183c04727bbb8658a151ed879a89c479bf2fdde32023235fae9802f6e1ecd9b98c2048230150360

    • SSDEEP

      196608:U+b8ve9Ab5jb55ix+eew2dS4+ipkAipckp:U48ve9w0ewK/dup/p

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix

Tasks