Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    efb2d35f2a187b18fb7fe32eb68dd927.bin

  • Size

    4.9MB

  • Sample

    230130-yljj4ace45

  • MD5

    efb2d35f2a187b18fb7fe32eb68dd927

  • SHA1

    12a73b569e16637e6e783b59d627f44ce0bf26d2

  • SHA256

    10b1a61abfb2f91eea0fec8b52e5602c0f8630703a159593d23daf3c76da145f

  • SHA512

    1f97643fd6990f19c17df867b0d86e3ef14837e09a500f2c4dff6652e81f3e965149e6b50b50f6dee257889c54b990248dd37b0920c1a630eea4cdca06260b34

  • SSDEEP

    98304:p2cPK8sxc2Ml4nALiVRKC4x0UWMqs+QY/c0PjiqBa:QCK3e2Ml6AmVR80MbGjiqBa

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Adobe XD

C2

stopman.ooguy.com:1980

craftIP.gize.com:1980

Mutex

NtOcRpqrVzcLWKF9xK

Attributes
  • encryption_key

    PB6sv6yXkRlKJgQI1D4W

  • install_name

    Client.exe

  • log_directory

    mincraft

  • reconnect_delay

    5000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      efb2d35f2a187b18fb7fe32eb68dd927.bin

    • Size

      4.9MB

    • MD5

      efb2d35f2a187b18fb7fe32eb68dd927

    • SHA1

      12a73b569e16637e6e783b59d627f44ce0bf26d2

    • SHA256

      10b1a61abfb2f91eea0fec8b52e5602c0f8630703a159593d23daf3c76da145f

    • SHA512

      1f97643fd6990f19c17df867b0d86e3ef14837e09a500f2c4dff6652e81f3e965149e6b50b50f6dee257889c54b990248dd37b0920c1a630eea4cdca06260b34

    • SSDEEP

      98304:p2cPK8sxc2Ml4nALiVRKC4x0UWMqs+QY/c0PjiqBa:QCK3e2Ml6AmVR80MbGjiqBa

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks