General

  • Target

    09b6791aa44d4ea5ef9fde46e065d4088148d90748a2c5e65305b116e09ba08f

  • Size

    36KB

  • Sample

    230801-qrav5shb5y

  • MD5

    01e4bf54de7fad5f68a17229f28c250b

  • SHA1

    7d1c36f3cd36437990e9df1469581ae76f453916

  • SHA256

    09b6791aa44d4ea5ef9fde46e065d4088148d90748a2c5e65305b116e09ba08f

  • SHA512

    75bc6e1047eedac61032139ede130add47ec2423da94f52c796821c62678889cb9968173af0a39291d916eed4cc2d041352554859a7c6c191e82914ed460ff3a

  • SSDEEP

    384:6xwJkR2ripNxsDd/NTffvUWyXjMkWSkQIw8kwMaXqwQmyU/51KreZEpk76O9:mDOdFr7yXoBQZAQveO1iGQ

Malware Config

Extracted

Family

redline

Botnet

ch

C2

79.134.225.80:11747

Extracted

Family

quasar

Version

1.3.0.0

Botnet

16th JULY

C2

198.98.54.161:6666

Mutex

QSR_MUTEX_Pl8uFsFQG2ggU9gBx9

Attributes
  • encryption_key

    3XivPs8YQVpfxU1EhGZE

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    notes

  • subdirectory

    SubDir

Targets

    • Target

      09b6791aa44d4ea5ef9fde46e065d4088148d90748a2c5e65305b116e09ba08f

    • Size

      36KB

    • MD5

      01e4bf54de7fad5f68a17229f28c250b

    • SHA1

      7d1c36f3cd36437990e9df1469581ae76f453916

    • SHA256

      09b6791aa44d4ea5ef9fde46e065d4088148d90748a2c5e65305b116e09ba08f

    • SHA512

      75bc6e1047eedac61032139ede130add47ec2423da94f52c796821c62678889cb9968173af0a39291d916eed4cc2d041352554859a7c6c191e82914ed460ff3a

    • SSDEEP

      384:6xwJkR2ripNxsDd/NTffvUWyXjMkWSkQIw8kwMaXqwQmyU/51KreZEpk76O9:mDOdFr7yXoBQZAQveO1iGQ

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks