General

  • Target

    svchost.exe

  • Size

    502KB

  • Sample

    230213-r5pf5adc7w

  • MD5

    91889bc763dbb417e04b7055dad76017

  • SHA1

    468ef6078b39aee737fdff011952cbaa0811a8f7

  • SHA256

    7eafe295746a209dec85a32474b473bf4d61c843020f9d435c73c2bd9d67b1a3

  • SHA512

    848828336b05f00d5b9cd8c6690e455c01a663eb1667ce9b3282f03ed766a5a1b5d9ae502d76c90b64fad4d4570164e16a1fd045b4fa39b77e022da0875f2393

  • SSDEEP

    6144:hTEgdc0YrXAGbgiIN2RSBreBTAFQKmFLULcEcOb8F94SM01Lc6OcTR3C:hTEgdfYbbg7spdM026OcdC

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

mingrelian.ddns.net:5552

Mutex

ac295147-615a-4c75-baa4-17de592dbddd

Attributes
  • encryption_key

    8D503852994A4016F90481B3C6305365B2B155CF

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      svchost.exe

    • Size

      502KB

    • MD5

      91889bc763dbb417e04b7055dad76017

    • SHA1

      468ef6078b39aee737fdff011952cbaa0811a8f7

    • SHA256

      7eafe295746a209dec85a32474b473bf4d61c843020f9d435c73c2bd9d67b1a3

    • SHA512

      848828336b05f00d5b9cd8c6690e455c01a663eb1667ce9b3282f03ed766a5a1b5d9ae502d76c90b64fad4d4570164e16a1fd045b4fa39b77e022da0875f2393

    • SSDEEP

      6144:hTEgdc0YrXAGbgiIN2RSBreBTAFQKmFLULcEcOb8F94SM01Lc6OcTR3C:hTEgdfYbbg7spdM026OcdC

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks