General

  • Target

    586Client-built.exe

  • Size

    502KB

  • Sample

    230220-xdxlbabh94

  • MD5

    9b88ff4481e391240a73bfa6a77d0ffe

  • SHA1

    b761dbb2f335dafa905e51d99e575035cfce4a79

  • SHA256

    ee70c6c9be8f4ee4ef8988abeb74274637424e0b16d6a0139ffe7684d3a0cf70

  • SHA512

    1ebab59476591094a07079403f1cafcaf90ba5d4392323e472da3f4fca05d98adf1e9cb8c445b2438d57165aa271821963c75f61811e0f14c2f46e2cfc6a3d6d

  • SSDEEP

    12288:1TEgdfYexUzDXoMK4bywOApKEMXql5bcdW:WUw3sCywOApE6l9cdW

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

staff-defines.at.ply.gg:58642

Mutex

2e9761cb-ec4c-4ce1-a7ad-c3b29a10d95c

Attributes
  • encryption_key

    B502E88905C46E4DDCA7F9C490E1523FE06B4C01

  • install_name

    Okay.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    SenpaiClient

  • subdirectory

    SubDir

Targets

    • Target

      586Client-built.exe

    • Size

      502KB

    • MD5

      9b88ff4481e391240a73bfa6a77d0ffe

    • SHA1

      b761dbb2f335dafa905e51d99e575035cfce4a79

    • SHA256

      ee70c6c9be8f4ee4ef8988abeb74274637424e0b16d6a0139ffe7684d3a0cf70

    • SHA512

      1ebab59476591094a07079403f1cafcaf90ba5d4392323e472da3f4fca05d98adf1e9cb8c445b2438d57165aa271821963c75f61811e0f14c2f46e2cfc6a3d6d

    • SSDEEP

      12288:1TEgdfYexUzDXoMK4bywOApKEMXql5bcdW:WUw3sCywOApE6l9cdW

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks