General

  • Target

    Client-built.exe

  • Size

    502KB

  • Sample

    230218-s6etracf36

  • MD5

    b19e73c0df819f80752d5554c6dd8189

  • SHA1

    c335ba9f8c718d97de33149e45e76d5ec4379131

  • SHA256

    82b83257386bbf56012daf7a3e96340cc672142966b92d66e212d733fe9a5730

  • SHA512

    5334081ce161602edee78ab09469c4120f31f9e14f4f13f4099cbd9caae603fb3c5cf9a916292d54e9975566ff2a4ab1ffb00e4d2781751e4370db3bde3c6e79

  • SSDEEP

    6144:0TEgdc0Y5ebGbXOsA6j1RdhWnf4moYsxW5Etql+yw4EUcEpOb8F9d9Sl3HPvcTRy:0TEgdfYhA6yf4Fn44ywGZpX9u3Xcdi

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

mingrelian.ddns.net:5552

127.0.0.1:5552

Mutex

ac295147-615a-4c75-baa4-17de592dbddd

Attributes
  • encryption_key

    8D503852994A4016F90481B3C6305365B2B155CF

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Client-built.exe

    • Size

      502KB

    • MD5

      b19e73c0df819f80752d5554c6dd8189

    • SHA1

      c335ba9f8c718d97de33149e45e76d5ec4379131

    • SHA256

      82b83257386bbf56012daf7a3e96340cc672142966b92d66e212d733fe9a5730

    • SHA512

      5334081ce161602edee78ab09469c4120f31f9e14f4f13f4099cbd9caae603fb3c5cf9a916292d54e9975566ff2a4ab1ffb00e4d2781751e4370db3bde3c6e79

    • SSDEEP

      6144:0TEgdc0Y5ebGbXOsA6j1RdhWnf4moYsxW5Etql+yw4EUcEpOb8F9d9Sl3HPvcTRy:0TEgdfYhA6yf4Fn44ywGZpX9u3Xcdi

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Modifies Installed Components in the registry

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks