General

  • Target

    SPOOFER.bin.exe

  • Size

    12.7MB

  • Sample

    231228-xkr96sdea7

  • MD5

    0c0dc0cf41e3c993ae5a22803275949a

  • SHA1

    e372df2088dfa0695608a0ecf9b98c133abcf8f6

  • SHA256

    18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc

  • SHA512

    41f531cc954c6c39be9458a8e048cda64f8604a62ab730024c495e4fe771ce53edd2befb1af31e1f4962d975f35a224f8d752f9c28a7ec64e08e968c1abacf98

  • SSDEEP

    49152:fIjotieByewT9gG21ntArAfjm6miv/t61TRORHEuEu1kGNkLde+tMtl1vVsTNwaC:fIq

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

brofisthej.ddns.net:4822

Mutex

bba16831-38af-412f-a8c5-a3e7484d19bf

Attributes
  • encryption_key

    E24AB48F8EFB3017AA47324E2998E2D387BE10A9

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      SPOOFER.bin.exe

    • Size

      12.7MB

    • MD5

      0c0dc0cf41e3c993ae5a22803275949a

    • SHA1

      e372df2088dfa0695608a0ecf9b98c133abcf8f6

    • SHA256

      18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc

    • SHA512

      41f531cc954c6c39be9458a8e048cda64f8604a62ab730024c495e4fe771ce53edd2befb1af31e1f4962d975f35a224f8d752f9c28a7ec64e08e968c1abacf98

    • SSDEEP

      49152:fIjotieByewT9gG21ntArAfjm6miv/t61TRORHEuEu1kGNkLde+tMtl1vVsTNwaC:fIq

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Nirsoft

    • Creates new service(s)

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks