Overview

overview

10

Static

static

8

Invoice #I...3.xlsm

windows7-x64

10

Invoice #I...3.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Invoice #INV-000003.xlsm

  • Size

    42KB

  • Sample

    230419-tmycesbg84

  • MD5

    085e42c1d3b9e1ff4ab0fbb281db1973

  • SHA1

    85254d8a790d17f8086a20fcb0a66ec9b2002ef5

  • SHA256

    4a5e25c3438b7613bfdbeb0ccc6a98ccf756cbd81ca8b6caa92017f384ac22de

  • SHA512

    e68e40ce3075118bb098d29993591460e0535debf5c68c874a627efc53c70e940cdb5cb369d4f941de28a8e273f1f919f11ef96294a373eefa165603fe74612a

  • SSDEEP

    768:lBvBp3vVssntNzgmABIJYfTH+niSp5vDHbAv+nWWFFiKk/f6qtGsk8R2+noiOr:3vfvVTD9AG1BLTbAv+FFFi3/CqQ58/o/

Score
10/10
quasarsuccessmacropersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

SUCCESS

C2

41.185.97.216:4782

Mutex

MUTEX_KMkEYpkuWKDvhVsEcT

Attributes
  • encryption_key

    kbnBYlo1Zoug7VQGhNv1

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    cmd

  • subdirectory

    SubDir

Targets

    • Target

      Invoice #INV-000003.xlsm

    • Size

      42KB

    • MD5

      085e42c1d3b9e1ff4ab0fbb281db1973

    • SHA1

      85254d8a790d17f8086a20fcb0a66ec9b2002ef5

    • SHA256

      4a5e25c3438b7613bfdbeb0ccc6a98ccf756cbd81ca8b6caa92017f384ac22de

    • SHA512

      e68e40ce3075118bb098d29993591460e0535debf5c68c874a627efc53c70e940cdb5cb369d4f941de28a8e273f1f919f11ef96294a373eefa165603fe74612a

    • SSDEEP

      768:lBvBp3vVssntNzgmABIJYfTH+niSp5vDHbAv+nWWFFiKk/f6qtGsk8R2+noiOr:3vfvVTD9AG1BLTbAv+FFFi3/CqQ58/o/

    Score
    10/10
    quasarsuccesspersistencespywaretrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks