General

  • Target

    0c0dc0cf41e3c993ae5a22803275949a.bin

  • Size

    9.5MB

  • Sample

    231230-bdjtkaggd8

  • MD5

    468bc5977d7a82e95b50b7793dbadec6

  • SHA1

    99180d2a32d95a96958ff7fb060ddb04ade154a8

  • SHA256

    01e185ad6cba8440d1fa1d5c5ea5802d346ae7fabbe1c57115e4135b84420a7f

  • SHA512

    e05d727ab548c7f127311565773b9250c2362ea69e56e3dd118b2f73cc7ee200531677d72e9aa4c5f397ae0e86369834795fd41bc1be44716f703f7865ad85f8

  • SSDEEP

    196608:H/UCCA89F4vqhvIeMGD4LH+AHiGHAkdGuqVHjx:H/UCC7f4yhQeELH9HBgkFq3

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

brofisthej.ddns.net:4822

Mutex

bba16831-38af-412f-a8c5-a3e7484d19bf

Attributes
  • encryption_key

    E24AB48F8EFB3017AA47324E2998E2D387BE10A9

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe

    • Size

      12.7MB

    • MD5

      0c0dc0cf41e3c993ae5a22803275949a

    • SHA1

      e372df2088dfa0695608a0ecf9b98c133abcf8f6

    • SHA256

      18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc

    • SHA512

      41f531cc954c6c39be9458a8e048cda64f8604a62ab730024c495e4fe771ce53edd2befb1af31e1f4962d975f35a224f8d752f9c28a7ec64e08e968c1abacf98

    • SSDEEP

      49152:fIjotieByewT9gG21ntArAfjm6miv/t61TRORHEuEu1kGNkLde+tMtl1vVsTNwaC:fIq

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Nirsoft

    • Creates new service(s)

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks