Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    intelservice.exe

  • Size

    348KB

  • Sample

    231121-bepffabc34

  • MD5

    2f890b7ca2e7b4b24bb534c28e54d7cf

  • SHA1

    e8d9f966c18f10f1eff01478d41dabacd0300da5

  • SHA256

    92dde00e5a5426b5a20e9e9e87ea29c66c6ab7cd467cbe9a90bf971f2d21a6a7

  • SHA512

    666670b52d4113a4909cc27fb38b851c0066a74aa2bfe67bb906a0c1fffedffaf26bd8f4aa0371adea3c9e51917c1de27b3cde2ed05db56aad16f476a955f841

  • SSDEEP

    6144:60qQ4i1FFiEKDvLJavf52ibVcbVKglEb0ouAYyj9jZV293DIa:rpliTVOf56WBYylc3DIa

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

hackee

C2

20.205.140.63:1024

Mutex

QSR_MUTEX_5Tlo4RbwyDWBOOlMEb

Attributes
  • encryption_key

    zFGtr8G9lnuwN5OHbzbL

  • install_name

    intelservice.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Intel CPU Service

  • subdirectory

    intelcpu

Targets

    • Target

      intelservice.exe

    • Size

      348KB

    • MD5

      2f890b7ca2e7b4b24bb534c28e54d7cf

    • SHA1

      e8d9f966c18f10f1eff01478d41dabacd0300da5

    • SHA256

      92dde00e5a5426b5a20e9e9e87ea29c66c6ab7cd467cbe9a90bf971f2d21a6a7

    • SHA512

      666670b52d4113a4909cc27fb38b851c0066a74aa2bfe67bb906a0c1fffedffaf26bd8f4aa0371adea3c9e51917c1de27b3cde2ed05db56aad16f476a955f841

    • SSDEEP

      6144:60qQ4i1FFiEKDvLJavf52ibVcbVKglEb0ouAYyj9jZV293DIa:rpliTVOf56WBYylc3DIa

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks