General

  • Target

    10bb8284965045b7c9bc442e5ce1f184

  • Size

    691KB

  • Sample

    231230-gw7k8sadcm

  • MD5

    10bb8284965045b7c9bc442e5ce1f184

  • SHA1

    0ca24ca1e8d2f4a9fecaea0134233781cb57e125

  • SHA256

    b19c884ff608ddcd01a1961791de3c8a4a058f7c17f23abec5a1aeb0ee2f44ff

  • SHA512

    9802721432375befb67b83122eb0d1260db698c2a74c7d0aff15ed3da5f433aff2d3fafa66369b997586a7b79740108fb923eaf9caee7032ff98a165aaebc87a

  • SSDEEP

    12288:N8F2v5RYZjGagUjAtN8yt00khHaK/0CrMixd/+RGzXsMB9h7ukziWy9EUKFTZdX1:N8iTYZjGM8D8GKMCrMi3JzXsW9ESiWyS

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

127.0.0.1:443

Mutex

FBdXANGH0BYFlg9CNn

Attributes
  • encryption_key

    A6NhGxikgt5GpTQYuW3i

  • install_name

    Microsoft Offline.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Microsoft Offline

  • subdirectory

    SubDir

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Targets

    • Target

      10bb8284965045b7c9bc442e5ce1f184

    • Size

      691KB

    • MD5

      10bb8284965045b7c9bc442e5ce1f184

    • SHA1

      0ca24ca1e8d2f4a9fecaea0134233781cb57e125

    • SHA256

      b19c884ff608ddcd01a1961791de3c8a4a058f7c17f23abec5a1aeb0ee2f44ff

    • SHA512

      9802721432375befb67b83122eb0d1260db698c2a74c7d0aff15ed3da5f433aff2d3fafa66369b997586a7b79740108fb923eaf9caee7032ff98a165aaebc87a

    • SSDEEP

      12288:N8F2v5RYZjGagUjAtN8yt00khHaK/0CrMixd/+RGzXsMB9h7ukziWy9EUKFTZdX1:N8iTYZjGM8D8GKMCrMi3JzXsW9ESiWyS

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks