General

  • Target

    prryry.bat

  • Size

    325KB

  • Sample

    230209-sfkx3sgg26

  • MD5

    0e901cd4460579b61abece2b88f54035

  • SHA1

    e776e751a2257cc6d56b85dd7f3c5c1a64bfc604

  • SHA256

    59fbf83208e965445268cc973a63516dba60c68eced0d3cd8ed2e9499951dc32

  • SHA512

    f15cbd6d506142f0c1f3f5271881c4e083d08976f34d18b72d4967efe33f4479acf3d3f3b5d9ea537f110be407a72c968204494428e1f0626ffe10bdc3df4a45

  • SSDEEP

    6144:/4qtTlM41OxgA7WSagBFKONpwB0Xf3fqYDhWdugk14piavaa:VTlMzgqLBFKOz2kh6kGkK

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

quasharr.ddns.net:4782

quasharr21.ddns.net:4782

quasharr22.ddns.net:4782

quasharr33.ddns.net:4782

Mutex

1f1a8604-757c-4251-9294-1b6985c3c1c7

Attributes
  • encryption_key

    2D1A3994D3C8E5C6071E7048589030F3E389DDC7

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows

  • subdirectory

    SubDir

Targets

    • Target

      prryry.bat

    • Size

      325KB

    • MD5

      0e901cd4460579b61abece2b88f54035

    • SHA1

      e776e751a2257cc6d56b85dd7f3c5c1a64bfc604

    • SHA256

      59fbf83208e965445268cc973a63516dba60c68eced0d3cd8ed2e9499951dc32

    • SHA512

      f15cbd6d506142f0c1f3f5271881c4e083d08976f34d18b72d4967efe33f4479acf3d3f3b5d9ea537f110be407a72c968204494428e1f0626ffe10bdc3df4a45

    • SSDEEP

      6144:/4qtTlM41OxgA7WSagBFKONpwB0Xf3fqYDhWdugk14piavaa:VTlMzgqLBFKOz2kh6kGkK

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks