General

  • Target

    09a8420f132e0ecc5725d7055d4201dc

  • Size

    16.8MB

  • Sample

    231230-bj4e6aaec9

  • MD5

    09a8420f132e0ecc5725d7055d4201dc

  • SHA1

    4d86e14b074504cddd76da50f2a3425067d484c3

  • SHA256

    f546c80fed56869c11e41e892fcf4485e1704ccfb084e115d5377e453637fa6d

  • SHA512

    3710add228ef718490e3eadbe9c6d82e8cbadcb86d97a6f474243e7d5fd9ea13fdd87e38defd271ead37d0e1e362dfd358319f376969548530e82c40fcea0582

  • SSDEEP

    393216:PaYS7OwgupiwzH84x2RybUbEp/IkqPJiQIDTrwN:Pa/ivOzHSobUbE1IkqPJMDvc

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

smtp.yassine-bolard.nl:72

82.65.150.176:72

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    V8QkE5vrgV4DVybE2MTP

  • install_name

    $77Discord.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Discord

  • subdirectory

    Discord

Targets

    • Target

      09a8420f132e0ecc5725d7055d4201dc

    • Size

      16.8MB

    • MD5

      09a8420f132e0ecc5725d7055d4201dc

    • SHA1

      4d86e14b074504cddd76da50f2a3425067d484c3

    • SHA256

      f546c80fed56869c11e41e892fcf4485e1704ccfb084e115d5377e453637fa6d

    • SHA512

      3710add228ef718490e3eadbe9c6d82e8cbadcb86d97a6f474243e7d5fd9ea13fdd87e38defd271ead37d0e1e362dfd358319f376969548530e82c40fcea0582

    • SSDEEP

      393216:PaYS7OwgupiwzH84x2RybUbEp/IkqPJiQIDTrwN:Pa/ivOzHSobUbE1IkqPJMDvc

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Nirsoft

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks