General

  • Target

    opera.exe

  • Size

    3.2MB

  • Sample

    230801-rqgsqsgc62

  • MD5

    62a0d66d4c94d255d7386208f69b70e8

  • SHA1

    43e128c5d41409b848b844c31e45818802d7ea4f

  • SHA256

    974f559a122c842637b893bb5500cfb2caccab2f464526f688d39e451c3c5487

  • SHA512

    b3d69909141f2e5adebb93765689a7e83bca02d5000aaf8daa6a32275b3fa04eebb70b889edfb6a75579a73119ab010dc51e23b662dbd6c7ea071a1d2356def7

  • SSDEEP

    49152:hHM592AYawl1WPOl6NVtRkJ0xWc+DiEQsMkCxSvoG+DTHHB72eh2NT:hHg92AYawl1WPOl6NVLkJ0xWc+Dsw

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Opera

C2

4.tcp.eu.ngrok.io:12200

Mutex

dbdeb9e2-1d62-453a-8c06-8a6bf4be3071

Attributes
  • encryption_key

    8A2A7B58F2803115FF796E733C7311493928333B

  • install_name

    launcher.exe

  • log_directory

    Opera Logs

  • reconnect_delay

    3000

  • startup_key

    Opera Launcher

  • subdirectory

    Opera Software

Targets

    • Target

      opera.exe

    • Size

      3.2MB

    • MD5

      62a0d66d4c94d255d7386208f69b70e8

    • SHA1

      43e128c5d41409b848b844c31e45818802d7ea4f

    • SHA256

      974f559a122c842637b893bb5500cfb2caccab2f464526f688d39e451c3c5487

    • SHA512

      b3d69909141f2e5adebb93765689a7e83bca02d5000aaf8daa6a32275b3fa04eebb70b889edfb6a75579a73119ab010dc51e23b662dbd6c7ea071a1d2356def7

    • SSDEEP

      49152:hHM592AYawl1WPOl6NVtRkJ0xWc+DiEQsMkCxSvoG+DTHHB72eh2NT:hHg92AYawl1WPOl6NVLkJ0xWc+Dsw

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks