General

  • Target

    318b4d0e7a32e77a47e80ea0c933010a

  • Size

    1.3MB

  • Sample

    230823-gpnvjsac42

  • MD5

    318b4d0e7a32e77a47e80ea0c933010a

  • SHA1

    e14a9bf2fbb65d99c09ce4874df357bf48ab33a7

  • SHA256

    3eff4c5d17c807e48a3c3ced3264273f19f7d7e3d1224f735f0ae5700d5ec905

  • SHA512

    9600dff6b2beea9c65b9340400c584a4ce0556f00eb2bd7eb98ae337ce4167419c063c89d64ca867997496b8418f0b4763201d5247a5229680c69a683765312e

  • SSDEEP

    24576:YCUjzUGK5blWiGQ5ZzOkqGRoQ1l+ybMnqFz1Q5Zxc1fPmOAJml:YnxoB5ZzO9GRoQ1lvmqFzexc1f+Oui

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

SENSHI 3

C2

185.177.125.198:222

Mutex

LDbLLU62madvFfGsjT

Attributes
  • encryption_key

    WCDUxKWT4OyOHRQd2hKI

  • install_name

    csrss.exe

  • log_directory

    Logs

  • reconnect_delay

    2500

  • startup_key

    Windows Defender

  • subdirectory

    SubDir

Targets

    • Target

      318b4d0e7a32e77a47e80ea0c933010a

    • Size

      1.3MB

    • MD5

      318b4d0e7a32e77a47e80ea0c933010a

    • SHA1

      e14a9bf2fbb65d99c09ce4874df357bf48ab33a7

    • SHA256

      3eff4c5d17c807e48a3c3ced3264273f19f7d7e3d1224f735f0ae5700d5ec905

    • SHA512

      9600dff6b2beea9c65b9340400c584a4ce0556f00eb2bd7eb98ae337ce4167419c063c89d64ca867997496b8418f0b4763201d5247a5229680c69a683765312e

    • SSDEEP

      24576:YCUjzUGK5blWiGQ5ZzOkqGRoQ1l+ybMnqFz1Q5Zxc1fPmOAJml:YnxoB5ZzO9GRoQ1lvmqFzexc1f+Oui

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks