General

  • Target

    Credit note FEB23.exe

  • Size

    956KB

  • Sample

    230216-kj1tpsgd7s

  • MD5

    d0620b6592435383246986535d5bd90c

  • SHA1

    c7bfdd4e3d77ae0417f8dfa84af98db180b89e31

  • SHA256

    274e032cefa381cff9cdddba5463d2f1a14c9e64c3ae8e41b4b960b8e3f95ac5

  • SHA512

    620511215cbfdb34c05ced3722588ab25eff93cd64bd377c3882ea6014593d73954657d58b6c1573354abad89efd1333e2b2b4eb1b44214f18b7c3595b671c27

  • SSDEEP

    24576:QAzssFINDnpNOlAe/2wPdVF5iMZagA39+vD8+qiS0DCtIT:QGd/5iMZagAuQ+s

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

37.120.210.219:9771

Mutex

cdc62cc3-297d-4baa-b514-fcd69f23b760

Attributes
  • encryption_key

    F6CA1DFF4431556F5D775676A4005D1B1ABD97F4

  • install_name

    Client.exe

  • log_directory

    quasar

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Credit note FEB23.exe

    • Size

      956KB

    • MD5

      d0620b6592435383246986535d5bd90c

    • SHA1

      c7bfdd4e3d77ae0417f8dfa84af98db180b89e31

    • SHA256

      274e032cefa381cff9cdddba5463d2f1a14c9e64c3ae8e41b4b960b8e3f95ac5

    • SHA512

      620511215cbfdb34c05ced3722588ab25eff93cd64bd377c3882ea6014593d73954657d58b6c1573354abad89efd1333e2b2b4eb1b44214f18b7c3595b671c27

    • SSDEEP

      24576:QAzssFINDnpNOlAe/2wPdVF5iMZagA39+vD8+qiS0DCtIT:QGd/5iMZagAuQ+s

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks