General

  • Target

    Client-built.exe

  • Size

    502KB

  • Sample

    230225-wnf6msdg41

  • MD5

    a70eb80f62175945e7a830f4966b1108

  • SHA1

    b6d9ff4ca8f836c60c643e47fd3a22b96d600cac

  • SHA256

    3651d825403a98583a3f9622d221f0dece996d6f5e3614114ad2d2625144216b

  • SHA512

    883030c34b3e281cec19a7734e9f484c3fd4f9fa7b7f109e01c5750404a6d2856c3d40cdb4072682ab76818940bd075990b1cf054b60f467ee0102c907453856

  • SSDEEP

    6144:BTEgdc0YtX7IxUpGREW9nzXxm67rkW5Etqq+yw4fUcEpOb8F9i6v3aWvtoTcTR3i:BTEgdfY2xUQzh4n4Tyw/5pT3aQGcd7G

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

194.ip.ply.gg:54552

Mutex

716c625d-c482-416b-b1b9-99229108bb5a

Attributes
  • encryption_key

    B9045A156EB992A12FC06BA7C5161D3D36F95066

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    ss

  • subdirectory

    SubDir

Targets

    • Target

      Client-built.exe

    • Size

      502KB

    • MD5

      a70eb80f62175945e7a830f4966b1108

    • SHA1

      b6d9ff4ca8f836c60c643e47fd3a22b96d600cac

    • SHA256

      3651d825403a98583a3f9622d221f0dece996d6f5e3614114ad2d2625144216b

    • SHA512

      883030c34b3e281cec19a7734e9f484c3fd4f9fa7b7f109e01c5750404a6d2856c3d40cdb4072682ab76818940bd075990b1cf054b60f467ee0102c907453856

    • SSDEEP

      6144:BTEgdc0YtX7IxUpGREW9nzXxm67rkW5Etqq+yw4fUcEpOb8F9i6v3aWvtoTcTR3i:BTEgdfY2xUQzh4n4Tyw/5pT3aQGcd7G

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks