General

  • Target

    HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe

  • Size

    16.5MB

  • Sample

    230212-aav7raee2t

  • MD5

    b9874cdde692f485a1c609aeafd075c3

  • SHA1

    8806ac9b20eaa78f89b5dfd1b78a3c7fb5cbffce

  • SHA256

    66fdb47c24f569d7fae5707024809698812a40458216414827d3ea57cfb19dbb

  • SHA512

    955e5e731e2d3fe9299fb90995fba95409d5b6086306960defbdc17f855175c63ccdb713f16b3e6ac3ee007f2317461d2e8693afefc56e7de494d879a3fd0aee

  • SSDEEP

    98304:AQC5lSLCSHP8Z2HOR0mW1LCjqOMKmxE6G:LC5R0mh

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

ET

C2

orcus.dyndns.org:1605

lsdw.dyndns.org:1606

labeokunta.dynnds.org:1606

xpert.dyndns.biz:1605

qz.dyndns.org:1605

imageline.dyndns.org:1606

kontakt-update.selfip.net:1606

Mutex

QSR_MUTEX_X8N0tEAk1p1Gbe9ioj

Attributes
  • encryption_key

    jVpAHlJqCIQYSDZsOYMx

  • install_name

    Client.exe

  • log_directory

    db.xlm

  • reconnect_delay

    30000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

bitrat

Version

1.38

C2

hiv.dyndns.org:2222

Attributes
  • communication_password

    194dd40edef1873b88c241057bb55f1b

  • tor_process

    tor

Targets

    • Target

      HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe

    • Size

      16.5MB

    • MD5

      b9874cdde692f485a1c609aeafd075c3

    • SHA1

      8806ac9b20eaa78f89b5dfd1b78a3c7fb5cbffce

    • SHA256

      66fdb47c24f569d7fae5707024809698812a40458216414827d3ea57cfb19dbb

    • SHA512

      955e5e731e2d3fe9299fb90995fba95409d5b6086306960defbdc17f855175c63ccdb713f16b3e6ac3ee007f2317461d2e8693afefc56e7de494d879a3fd0aee

    • SSDEEP

      98304:AQC5lSLCSHP8Z2HOR0mW1LCjqOMKmxE6G:LC5R0mh

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • HiveRAT

      HiveRAT is an improved version of FirebirdRAT with various capabilities.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • HiveRAT payload

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks