General

  • Target

    Client-builtduk.exe

  • Size

    502KB

  • Sample

    230217-syjgzagb28

  • MD5

    e16470596e795b2d671d0587a50f0a39

  • SHA1

    222d454c14f8347f2b05986b9d7e279f53282820

  • SHA256

    f6f96c1d38b368472b28b9ffb23b099de90f04bfec19ca24224b215d86c401af

  • SHA512

    04f0c3cd6fb20b200831ea8cb3659eb009c008da5ac4e404f30b5d1881c434e1bf2a03854a7770d0ac7a03d3b7210aa5b14af9d748d2b290c153bf677ea02bf8

  • SSDEEP

    6144:DTEgdc0YCXc2rao+RGmTnIEdm/9KI0/QpocExeb8F9oLdHpcTR3v:DTEgdfYYramx01hZiFpcdv

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

mingrelian.ddns.net:5552

127.0.0.1:5552

mingrelian.duckdns.org:5552

Mutex

ac295147-615a-4c75-baa4-17de592dbddd

Attributes
  • encryption_key

    8D503852994A4016F90481B3C6305365B2B155CF

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Client-builtduk.exe

    • Size

      502KB

    • MD5

      e16470596e795b2d671d0587a50f0a39

    • SHA1

      222d454c14f8347f2b05986b9d7e279f53282820

    • SHA256

      f6f96c1d38b368472b28b9ffb23b099de90f04bfec19ca24224b215d86c401af

    • SHA512

      04f0c3cd6fb20b200831ea8cb3659eb009c008da5ac4e404f30b5d1881c434e1bf2a03854a7770d0ac7a03d3b7210aa5b14af9d748d2b290c153bf677ea02bf8

    • SSDEEP

      6144:DTEgdc0YCXc2rao+RGmTnIEdm/9KI0/QpocExeb8F9oLdHpcTR3v:DTEgdfYYramx01hZiFpcdv

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks