General

  • Target

    Heart Sender V5.0.exe

  • Size

    439KB

  • Sample

    230225-v1zyvadh53

  • MD5

    8f808bb54b422500304dfc68b87198fc

  • SHA1

    24ebeb615f0bdcaa3980722100d6fc42111b62ec

  • SHA256

    680caf0e30b204544971d053b635ed0e3f1dee3332d9eab8a08b3f04cd7ecd75

  • SHA512

    46ce4cde81607819e360b0efc424c4b5602c7515661a88e6a0d66cd9e88dcc68219f0a85200e6c40cc34bcac0e5ab652e6db4b4b1c1b913ad351061dae880e99

  • SSDEEP

    6144:vwLRSjIXAnZQel5w7T4P5Kq+SMv0VGb7bDcllbkuVB8:v/4AZrg7g9zVGkllbko

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

67.213.221.18:7812

Mutex

KFoYp486ql6lO6U0qI

Attributes
  • encryption_key

    OtItMK9boIZNOQTejUzg

  • install_name

    Windows Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    Windows Services

Targets

    • Target

      Heart Sender V5.0.exe

    • Size

      439KB

    • MD5

      8f808bb54b422500304dfc68b87198fc

    • SHA1

      24ebeb615f0bdcaa3980722100d6fc42111b62ec

    • SHA256

      680caf0e30b204544971d053b635ed0e3f1dee3332d9eab8a08b3f04cd7ecd75

    • SHA512

      46ce4cde81607819e360b0efc424c4b5602c7515661a88e6a0d66cd9e88dcc68219f0a85200e6c40cc34bcac0e5ab652e6db4b4b1c1b913ad351061dae880e99

    • SSDEEP

      6144:vwLRSjIXAnZQel5w7T4P5Kq+SMv0VGb7bDcllbkuVB8:v/4AZrg7g9zVGkllbko

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks