General

  • Target

    2f017c769c39fef1c8e8d4a2041ffc65.bin

  • Size

    6KB

  • Sample

    231121-bsbrhabc98

  • MD5

    2f017c769c39fef1c8e8d4a2041ffc65

  • SHA1

    ee4d54f3909c07a3bf0ed34daa682ca4c008c6a6

  • SHA256

    bdc69cac3dd5b6a68961435eb7379adea6936893d3debae53cfc36e0668de079

  • SHA512

    be84b9cf2f3fbb3ae099b0e28d981c33a3ec145422909ea413b706e585b9f2acf788c844a13a0781267e263f2b37f6b73b4165701d3e1c21aae32fd884d38a00

  • SSDEEP

    192:ekQ79H66CpkyD44aT5k1766kuYEKpGQRMO:a7gpROR6kuNK0QKO

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

LaraLoveU-44526.portmap.host:44526

Mutex

QSR_MUTEX_FzYyCES1fI0geSNN76

Attributes
  • encryption_key

    DhxP4RRoJUjNRd1gIFU8

  • install_name

    Windows TCP .exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows HD Driver

  • subdirectory

    Windows

Targets

    • Target

      RoseCheatsV4/AimBot.dll

    • Size

      122B

    • MD5

      aa9bf6a15157e18543f5457ac557d3d2

    • SHA1

      f6dd2e67eb65ce0aed1559ca58655f7bb900b90e

    • SHA256

      43879afd5af1d5b226629778d64e448a0b092352a0e7ddfd7ae7082daa7f5c3f

    • SHA512

      3c432dfc0f5ada690a16e4b440e20578354ddc15aaf6f8bdb6eb659904b378b5fc0471df74bad49d9ea986f2e734c130e5f084ac9fdfa4be4f755af36685783c

    Score
    1/10
    • Target

      RoseCheatsV4/OBF20x-startV1.bat

    • Size

      17KB

    • MD5

      411be5b301d07890e23ed69bf221d995

    • SHA1

      cb099ca6075e1c7e7837f42021a808cbaf191aa9

    • SHA256

      58e3d5b71e5cca265feafc3be93df55ea6b9d12d6f150cac953b8e91a451c9e3

    • SHA512

      eea35274ee204c4fe778c3e78646e9ad63e5b5aa16f3d3fe52bd1753d5f5b68c98281a2a8fdbe723db0428498e64a2dae4d943cb5257388db87b63d5184a9c54

    • SSDEEP

      192:U/5mkQJ3Hj/BTfgcJ5KBKUuGSjjzoCDinBZNsbXfxENKDZa/41qHpmX:wSgRudjz4zNsbvxKKDZa/41QgX

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Target

      RoseCheatsV4/data/bot.py

    • Size

      91B

    • MD5

      8c0a898281baf82b1fd39079201fbcc0

    • SHA1

      5afcb1904e9ceb4c6673573e7aa31e4effdce208

    • SHA256

      d5f6a781626ad9e84bd8690bd35503f818957720cde5ad55369478b3c844d002

    • SHA512

      6f9a316e05607bb7fbf019d44feb43cbc6eaa76cd5b4ba10573a9aae0b07187b931482c612a2e53dd3e61a32440f62565927ad0cde05241deabd69d04e4bdfa4

    Score
    3/10
    • Target

      RoseCheatsV4/data/portscanner.py

    • Size

      427B

    • MD5

      5b18828a41fa1f93b56354de0fb0e157

    • SHA1

      b3cfdfb88a48ae5bd423e05dbfc9fc316e5615a5

    • SHA256

      7586add73f4d919d25c62e093cd700d0712a17982c0f7d72a82b360fb6443005

    • SHA512

      0825236f8648929d04663b32263d8c75718c443981fbe86b529be98d78a349932f9d03bad6585f56ac35cb54578224a285b774cd854e09e0cd05f301ed3f2c68

    Score
    3/10
    • Target

      RoseCheatsV4/data/portscanner2.py

    • Size

      1KB

    • MD5

      d9b7026810324a4b14b826f62e7ffc44

    • SHA1

      31600e6e59a87cec0b1aed6ae3fa1003131c3ec5

    • SHA256

      25bf231d473acb14f02f6dc0774317c9cd315cf4acd7b2e0a30759ce1809cf4e

    • SHA512

      5ca11365790bf3bc7b06ac61d583c482131350056e1c753adf380a7d128edb86ef03e6867073cde1c3f6b7c5eaa5ffa1c76a912e247b855800a4ec79875e77d8

    Score
    3/10
    • Target

      RoseCheatsV4/data/portscanner3.py

    • Size

      2KB

    • MD5

      f3546098103d32d641b142773a9f0bee

    • SHA1

      a0e2a2178dd5acfa9c8f9ec70362d894a9288135

    • SHA256

      2c7d60fa30831a38d1a5fb8ade5af48431c006056aee3c45cebd0353b0737e7d

    • SHA512

      afec372e9e185d95fed42cbaa5c09dc75e8498be2d430ded9865125725b5cee5f54344ec8965c1ebe623c095f46267cbc92ade78807b8fe998edd29fb4cbbb39

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks