General

  • Target

    OperaSetup.exe

  • Size

    6.1MB

  • Sample

    230801-tmkfkahd49

  • MD5

    41642cbd557222d87e97ce3aac35bd96

  • SHA1

    e7f793261b6564a6e0f92b661af0364968f3a68f

  • SHA256

    a57bbb8bb354aeb030d0f4290567b304ea16571c66a9c58298fe4da8c4f91adf

  • SHA512

    b00206b1b1b351d50daf13ede7248d36348e6e5421084eb5f6e4dd97f16879206b5b52def84124afdad48e0ff363e37fe314097cc282e657f79eea8447d237fb

  • SSDEEP

    98304:JGh5ziNlRUaub+MPDrc/c+NmXnKyFrsqCFHj92AYawl1WPOl6NVLkJ0xWbcmy:J3NlqaubXgUCqCBBjxMy

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Family

quasar

Version

1.4.1

Botnet

Opera

C2

4.tcp.eu.ngrok.io:12200

Mutex

dbdeb9e2-1d62-453a-8c06-8a6bf4be3071

Attributes
  • encryption_key

    8A2A7B58F2803115FF796E733C7311493928333B

  • install_name

    launcher.exe

  • log_directory

    Opera Logs

  • reconnect_delay

    3000

  • startup_key

    Opera Launcher

  • subdirectory

    Opera Software

Targets

    • Target

      OperaSetup.exe

    • Size

      6.1MB

    • MD5

      41642cbd557222d87e97ce3aac35bd96

    • SHA1

      e7f793261b6564a6e0f92b661af0364968f3a68f

    • SHA256

      a57bbb8bb354aeb030d0f4290567b304ea16571c66a9c58298fe4da8c4f91adf

    • SHA512

      b00206b1b1b351d50daf13ede7248d36348e6e5421084eb5f6e4dd97f16879206b5b52def84124afdad48e0ff363e37fe314097cc282e657f79eea8447d237fb

    • SSDEEP

      98304:JGh5ziNlRUaub+MPDrc/c+NmXnKyFrsqCFHj92AYawl1WPOl6NVLkJ0xWbcmy:J3NlqaubXgUCqCBBjxMy

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks