Overview

overview

10

Static

static

3

d151668cc8...f7.exe

windows7-x64

10

d151668cc8...f7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d151668cc8126a84f824dc66856e77f7

  • Size

    2.6MB

  • Sample

    231220-sfrevsdeg9

  • MD5

    d151668cc8126a84f824dc66856e77f7

  • SHA1

    4c2fda4ab4aded1275a0fde6c644a65cc5dec6d0

  • SHA256

    251bcc9f598fcae75d9aa7eb0e9c265d55847ab56f47c066376cffe695045766

  • SHA512

    0eb38a3f80da0f7c8be762253dc44a3429fa5535d2219664c6f80b025c51c127ffe6a9486418415384b86d2f037c0877d4180e3d981f46d730c1888344419474

  • SSDEEP

    3072:vaYxWNzXZmlCBed9Lg6QjTfLCbCXTucxBZ:vLxszX7wijTff

Score
10/10
quasarkurbanspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

KURBAN

C2

zheresss.duckdns.org:4782

Mutex

7d4567a3-a2c5-4e67-a173-49a6c1ff9ba1

Attributes
  • encryption_key

    86FD1C543EB2555B79B5BA711E72F897DDD244DE

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    FxsTmps

Targets

    • Target

      d151668cc8126a84f824dc66856e77f7

    • Size

      2.6MB

    • MD5

      d151668cc8126a84f824dc66856e77f7

    • SHA1

      4c2fda4ab4aded1275a0fde6c644a65cc5dec6d0

    • SHA256

      251bcc9f598fcae75d9aa7eb0e9c265d55847ab56f47c066376cffe695045766

    • SHA512

      0eb38a3f80da0f7c8be762253dc44a3429fa5535d2219664c6f80b025c51c127ffe6a9486418415384b86d2f037c0877d4180e3d981f46d730c1888344419474

    • SSDEEP

      3072:vaYxWNzXZmlCBed9Lg6QjTfLCbCXTucxBZ:vLxszX7wijTff

    Score
    10/10
    quasarkurbanspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks