Overview

overview

10

Static

static

3

dotNET_reactor.exe

windows7-x64

1

dotNET_reactor.exe

windows10-2004-x64

10

Resubmissions

08-10-2023 00:27

231008-ar1hssha3w 7

08-10-2023 00:25

231008-aqzj4sbc59 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dotNET_reactor.exe

  • Size

    1.5MB

  • Sample

    231008-aqzj4sbc59

  • MD5

    7f99586d030c79d0ca8bba0c2589a5ba

  • SHA1

    26adf5562bcca4557a29c798a409c721a51e3528

  • SHA256

    2a0324c1cb8517890533e3400c2ab4d758cc4a44cc95135d081e538453c8d977

  • SHA512

    5454a9003678fe48171c8f997328cf2796d309164d354a7a873545852bf9c16845579afbe29a0e4aa81023c70d2833443fa854985887b9efdc0fad574f63bd0e

  • SSDEEP

    24576:cGxDw6VZtjjYY6+1O0kTxY58oIe8t6W6r5jDpqiqIMQR23LTZv:zfVHh6ovkTxYMs9GiqIMQix

Score
10/10
quasar$$$$persistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

$$$$

C2

amazonshipping.duckdns.org:3184

Mutex

238fcca6-ae23-484b-82e4-5e1d37672924

Attributes
  • encryption_key

    15CB3BC7C96B95EC1FB1E6A2BB16B0B7BAEE8D08

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    SubDir

Targets

    • Target

      dotNET_reactor.exe

    • Size

      1.5MB

    • MD5

      7f99586d030c79d0ca8bba0c2589a5ba

    • SHA1

      26adf5562bcca4557a29c798a409c721a51e3528

    • SHA256

      2a0324c1cb8517890533e3400c2ab4d758cc4a44cc95135d081e538453c8d977

    • SHA512

      5454a9003678fe48171c8f997328cf2796d309164d354a7a873545852bf9c16845579afbe29a0e4aa81023c70d2833443fa854985887b9efdc0fad574f63bd0e

    • SSDEEP

      24576:cGxDw6VZtjjYY6+1O0kTxY58oIe8t6W6r5jDpqiqIMQR23LTZv:zfVHh6ovkTxYMs9GiqIMQix

    Score
    10/10
    quasar$$$$persistencespywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks