Resubmissions

30-05-2023 17:16

230530-vtdr2abc4v 10

30-05-2023 17:12

230530-vqzkbsah33 10

General

  • Target

    readme.txt

  • Size

    883B

  • Sample

    230530-vtdr2abc4v

  • MD5

    f32dc53dea22ab780d87dbe53ecc85f4

  • SHA1

    a3a57d0730c880a3e72371d15e5e8a96d71c2c1e

  • SHA256

    0865fcaaffbee526ecc6c62d837a7684b63c55ecc940887ec88c617836b83a40

  • SHA512

    bd3308edc436226e5e746d5e2cba7b716b92af6b67f7fdc2830d322e6a189ee4d914e24616af46168e3e5e42442df10e9e28d44374c80107de5c0b4988159886

Malware Config

Extracted

Family

quasar

Attributes
  • encryption_key

    428B8BF995C1D5153E40DED9D607521359BB4C60

  • reconnect_delay

    3000

  • subdirectory

    (

Targets

    • Target

      readme.txt

    • Size

      883B

    • MD5

      f32dc53dea22ab780d87dbe53ecc85f4

    • SHA1

      a3a57d0730c880a3e72371d15e5e8a96d71c2c1e

    • SHA256

      0865fcaaffbee526ecc6c62d837a7684b63c55ecc940887ec88c617836b83a40

    • SHA512

      bd3308edc436226e5e746d5e2cba7b716b92af6b67f7fdc2830d322e6a189ee4d914e24616af46168e3e5e42442df10e9e28d44374c80107de5c0b4988159886

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Tasks