Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2ee3aa9bc2da3fce27fe025356ae13b1.bin

  • Size

    3KB

  • Sample

    230701-bgyf5afb97

  • MD5

    f4499859a1a0cbacc6d97cdd7350856c

  • SHA1

    a4bc48f8c38b283779bb0b7f435ca9b144a65cb5

  • SHA256

    800b825fcf42dff45acf54bacae007176e930669987148d139693ff4fae6c807

  • SHA512

    0303c416252622a38400438ff391d2d6b8ef67ea8d2975623c34313647ad1501b2ca5bcada0c3771700fa95e772191eb0422a4110b05b18d1f2a371aa84f7059

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/16APD4C6

Extracted

Family

quasar

Version

1.3.0.0

Botnet

ACS hope

C2

crazydns.linkpc.net:26133

Mutex

QSR_MUTEX_6iGAmxpR39hpOQEFqk

Attributes
  • encryption_key

    qiJ37BhO6EEtAoSo8ukb

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs

    • Size

      213KB

    • MD5

      2ee3aa9bc2da3fce27fe025356ae13b1

    • SHA1

      d6c9f20fbfef8b1dca77e002c4ad2b9f7cad13c5

    • SHA256

      77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1

    • SHA512

      44d12a96f0c6ab16de52ebaae017f4e5e755831bfc9fe4704c560cb92f31f520737cf60949e89ea9e79bd744fa2065a0b29d90d4a033404e3fbdcf1c974b1f28

    • SSDEEP

      3072:u5d6525555555e555555555555p5555+Ji555tp:R

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks