General

  • Target

    0x002000000000f683-57.dat

  • Size

    289KB

  • Sample

    230225-v3eexsdf7t

  • MD5

    9ed927a589ceb0eb1cd72036f72b65ac

  • SHA1

    b48d9257d0c902736c897a4d0cdf430939ff47af

  • SHA256

    ed1545bda10c94c007b0d75b7895d10548fa096ba1b984b519737dfc6f307f3a

  • SHA512

    282871bd88691162e3aaa5f679049e991ecc3ea605fcb8a63eac284f93e2c499a7a36bae26f584675de5601fc72710eb464068f4d258bf7184cb1da2fe573675

  • SSDEEP

    6144:4RSjIXAnZQel5w7T4P5Kq+SMv0VGb7bDcllbkuVB:h4AZrg7g9zVGkllbko

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

67.213.221.18:7812

Mutex

KFoYp486ql6lO6U0qI

Attributes
  • encryption_key

    OtItMK9boIZNOQTejUzg

  • install_name

    Windows Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    Windows Services

Targets

    • Target

      0x002000000000f683-57.dat

    • Size

      289KB

    • MD5

      9ed927a589ceb0eb1cd72036f72b65ac

    • SHA1

      b48d9257d0c902736c897a4d0cdf430939ff47af

    • SHA256

      ed1545bda10c94c007b0d75b7895d10548fa096ba1b984b519737dfc6f307f3a

    • SHA512

      282871bd88691162e3aaa5f679049e991ecc3ea605fcb8a63eac284f93e2c499a7a36bae26f584675de5601fc72710eb464068f4d258bf7184cb1da2fe573675

    • SSDEEP

      6144:4RSjIXAnZQel5w7T4P5Kq+SMv0VGb7bDcllbkuVB:h4AZrg7g9zVGkllbko

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks