General

  • Target

    1dd754f56411c6768ac2ed928c2290271f24fb0758361afe398064896ed1a4bf

  • Size

    741KB

  • Sample

    230824-fejbmsab56

  • MD5

    2c5b7495fa40d1f393950d73ba52b4e7

  • SHA1

    4f6cbe160a02842b1822f7f2cac082910277613b

  • SHA256

    1dd754f56411c6768ac2ed928c2290271f24fb0758361afe398064896ed1a4bf

  • SHA512

    e8cfb5623d95b1ff010da2d209fd6f70da428bb1c03bf6bbabf2c9163e326387fafa3fd79ebdec27d6066e1b1710a802a5e39bb9ea1bb490b5a6bfca8eae2410

  • SSDEEP

    12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbBy3vY65Ba/5ailWmpBlOIvhGCcSjopvtcWFQy:U2G/nvxW3Ww0tBy3vJ5MWuDTvhGCc/HN

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

NEW KLIENT

C2

94.131.105.161:12344

Mutex

QSR_MUTEX_UEgITWnMKnRP3EZFzK

Attributes
  • encryption_key

    asrHpA9A9vqonUR95oQ6

  • install_name

    lient.exe

  • log_directory

    Lugs

  • reconnect_delay

    3000

  • startup_key

    itartup

  • subdirectory

    SubDir

Targets

    • Target

      1dd754f56411c6768ac2ed928c2290271f24fb0758361afe398064896ed1a4bf

    • Size

      741KB

    • MD5

      2c5b7495fa40d1f393950d73ba52b4e7

    • SHA1

      4f6cbe160a02842b1822f7f2cac082910277613b

    • SHA256

      1dd754f56411c6768ac2ed928c2290271f24fb0758361afe398064896ed1a4bf

    • SHA512

      e8cfb5623d95b1ff010da2d209fd6f70da428bb1c03bf6bbabf2c9163e326387fafa3fd79ebdec27d6066e1b1710a802a5e39bb9ea1bb490b5a6bfca8eae2410

    • SSDEEP

      12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbBy3vY65Ba/5ailWmpBlOIvhGCcSjopvtcWFQy:U2G/nvxW3Ww0tBy3vJ5MWuDTvhGCc/HN

    • Modifies WinLogon for persistence

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks