Overview

overview

10

Static

static

1

371d633006...2b.png

windows10-1703-x64

6

371d633006...2b.png

windows10-2004-x64

10

371d633006...2b.png

ubuntu-18.04-amd64

371d633006...2b.png

debian-9-armhf

371d633006...2b.png

debian-9-mips

371d633006...2b.png

debian-9-mipsel

Sharing

Copy URL
Twitter E-mail

General

  • Target

    371d633006158f2c89f3730b938ddc4e42c2832b.png

  • Size

    624B

  • Sample

    230606-l9ympsdb57

  • MD5

    69452d13127d4c960ead3b1212530683

  • SHA1

    4d998eb0e1e3ebbd16ad61685d16f9608142d953

  • SHA256

    e5349547d8f8928be45acaadcfa70997fd0ee846f182d0cc270a089e963e1e93

  • SHA512

    b649e0962d0294da46d814e3592cae7d07a366b49798504abc967f7080f089e28268e56a8ef5d08e1f00003df5409e9d547e43001ae68fef4b4674d1e4afc201

Score
10/10
quasaroffice04linuxspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

10.127.0.198:4782

Mutex

86fa21e9-bbe4-49b9-b2cd-2dd9def8e8bb

Attributes
  • encryption_key

    E841B05FE1D7643875F0EEC32C3E585D6C007D3A

  • install_name

    SubDir.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      371d633006158f2c89f3730b938ddc4e42c2832b.png

    • Size

      624B

    • MD5

      69452d13127d4c960ead3b1212530683

    • SHA1

      4d998eb0e1e3ebbd16ad61685d16f9608142d953

    • SHA256

      e5349547d8f8928be45acaadcfa70997fd0ee846f182d0cc270a089e963e1e93

    • SHA512

      b649e0962d0294da46d814e3592cae7d07a366b49798504abc967f7080f089e28268e56a8ef5d08e1f00003df5409e9d547e43001ae68fef4b4674d1e4afc201

    Score
    10/10
    quasaroffice04spywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2behavioral3behavioral4behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Command-Line Interface

1
T1059

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

5
T1082

Query Registry

4
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks