General

  • Target

    c0008144ddbf580b5aa762cdc847c84ea6222f9b47543c17ddb90d86cd7fd0caexe_JC.exe

  • Size

    877KB

  • Sample

    230811-rq2g5sfe2s

  • MD5

    d0c51c2447ac3268679d6ca5605404ad

  • SHA1

    c1bf165a82ec1d94e6773dc27b2432967baa7814

  • SHA256

    c0008144ddbf580b5aa762cdc847c84ea6222f9b47543c17ddb90d86cd7fd0ca

  • SHA512

    f7e9a7c31673b49ef36c92a90c75f4fc71f7c17234ab5d3efd4c3b9e42a2c3eaa9acc875e538c6804a96eddaa150e67e5eff4d7aa8cbdc706debffcb1a3f33c0

  • SSDEEP

    12288:aNO/e60FFubX3wASUKS/11/cy6muQSo0aENJmTm3k35OjJd+pmzsu8C/V16r9cF:7aKjg5Uvgqu5XlQZpOTtN1I9a

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

KGB

C2

atomic.opdailyallowance.top:6980

Mutex

3fe32e20-cb27-442c-ae9e-b10263926188

Attributes
  • encryption_key

    77D64A9E7D6F983A450481EF78D99F3A6B8A5925

  • install_name

    Chrome.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Chrome

  • subdirectory

    ChromeUpdate

Targets

    • Target

      c0008144ddbf580b5aa762cdc847c84ea6222f9b47543c17ddb90d86cd7fd0caexe_JC.exe

    • Size

      877KB

    • MD5

      d0c51c2447ac3268679d6ca5605404ad

    • SHA1

      c1bf165a82ec1d94e6773dc27b2432967baa7814

    • SHA256

      c0008144ddbf580b5aa762cdc847c84ea6222f9b47543c17ddb90d86cd7fd0ca

    • SHA512

      f7e9a7c31673b49ef36c92a90c75f4fc71f7c17234ab5d3efd4c3b9e42a2c3eaa9acc875e538c6804a96eddaa150e67e5eff4d7aa8cbdc706debffcb1a3f33c0

    • SSDEEP

      12288:aNO/e60FFubX3wASUKS/11/cy6muQSo0aENJmTm3k35OjJd+pmzsu8C/V16r9cF:7aKjg5Uvgqu5XlQZpOTtN1I9a

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks