General

  • Target

    24ac8f788c945be0d9ce1ee31573e040

  • Size

    691KB

  • Sample

    231231-c28y2agddl

  • MD5

    24ac8f788c945be0d9ce1ee31573e040

  • SHA1

    99c847a279f4253ce11680d08e8c579998e1f690

  • SHA256

    fe8593b5d45e1ffcd4f1d47e4167c5e13ad33f3391250d53e500ff0328f018cc

  • SHA512

    0aad7edb667544d2946b0545c23f47ec99fbcd1e9106c55908f3f92061a2f736f3ad29e426feb140e91d0bdfa249266cc1f4883e43f521c1d0a60bc0d6d33cf3

  • SSDEEP

    12288:N8F2v5RYZjGagUjAtN8yt00khHaK/0CrMixd/+RGzXsMB9h7ukziWy9EUKFTZdX1:N8iTYZjGM8D8GKMCrMi3JzXsW9ESiWyS

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

127.0.0.1:443

Mutex

FBdXANGH0BYFlg9CNn

Attributes
  • encryption_key

    A6NhGxikgt5GpTQYuW3i

  • install_name

    Microsoft Offline.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Microsoft Offline

  • subdirectory

    SubDir

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Targets

    • Target

      24ac8f788c945be0d9ce1ee31573e040

    • Size

      691KB

    • MD5

      24ac8f788c945be0d9ce1ee31573e040

    • SHA1

      99c847a279f4253ce11680d08e8c579998e1f690

    • SHA256

      fe8593b5d45e1ffcd4f1d47e4167c5e13ad33f3391250d53e500ff0328f018cc

    • SHA512

      0aad7edb667544d2946b0545c23f47ec99fbcd1e9106c55908f3f92061a2f736f3ad29e426feb140e91d0bdfa249266cc1f4883e43f521c1d0a60bc0d6d33cf3

    • SSDEEP

      12288:N8F2v5RYZjGagUjAtN8yt00khHaK/0CrMixd/+RGzXsMB9h7ukziWy9EUKFTZdX1:N8iTYZjGM8D8GKMCrMi3JzXsW9ESiWyS

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks