General

  • Target

    Eggsploit.exe

  • Size

    3.1MB

  • Sample

    231107-whkxmscf9s

  • MD5

    667e8c88107d8b2505e2c984504b6363

  • SHA1

    78af687782710dc45bf2bf4235b543ebdfbdd266

  • SHA256

    9db1850549f3067e3f9804153cfae806318aa5c6d2566389b09ea3f4a2996e42

  • SHA512

    a6e0f44383a033a2e7b28783170f7830c32a234dee5670344f8c53db0e8ff074ebe109f3b71352b61caca260c03b91edda5843981453a08e0e8e08eb1879d3c0

  • SSDEEP

    49152:6vdt62XlaSFNWPjljiFa2RoUYIhe1F9oGq1kSjTHHB72eh2NT:6vf62XlaSFNWPjljiFXRoUYIg1HWk

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.13:4782

Mutex

45259779-0dcb-4afe-a014-ae49cf73286e

Attributes
  • encryption_key

    38F8A837013773F52CA41CD4456A32A9B17A9557

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    AustiBlox

  • subdirectory

    SubDir

Targets

    • Target

      Eggsploit.exe

    • Size

      3.1MB

    • MD5

      667e8c88107d8b2505e2c984504b6363

    • SHA1

      78af687782710dc45bf2bf4235b543ebdfbdd266

    • SHA256

      9db1850549f3067e3f9804153cfae806318aa5c6d2566389b09ea3f4a2996e42

    • SHA512

      a6e0f44383a033a2e7b28783170f7830c32a234dee5670344f8c53db0e8ff074ebe109f3b71352b61caca260c03b91edda5843981453a08e0e8e08eb1879d3c0

    • SSDEEP

      49152:6vdt62XlaSFNWPjljiFa2RoUYIhe1F9oGq1kSjTHHB72eh2NT:6vf62XlaSFNWPjljiFXRoUYIg1HWk

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks