General

  • Target

    295f0a57a5e69b701359a80ed15ab338

  • Size

    435KB

  • Sample

    231231-fsf4faccc2

  • MD5

    295f0a57a5e69b701359a80ed15ab338

  • SHA1

    9ea6a935e70bcdd864c882afb056c9a046389a05

  • SHA256

    d366619e696013333ed98b3aa03567638e56286ded05fb34da197481fa4d89fe

  • SHA512

    9fb8d61630780a5079d1bc647818bd0d9b707955e1428e3518333eb0213d7dcc1e28a8156c1845b90e6bf7b0f1cdad7870ddb6ed160c8ee04f2be9cdec22b56e

  • SSDEEP

    12288:IHn2eF7god+QEy5xV1EiQZbGx09L8CkMTOZ2:xwg1QEy5xV1xqMMT

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

cinyk.duckdns.org:200

Mutex

f0588063-425c-49b3-90a0-146445b72227

Attributes
  • encryption_key

    03C79A7567CE54D0A1A215C4304C453535311F0C

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Java Updater x64

  • subdirectory

    SubDir

Targets

    • Target

      295f0a57a5e69b701359a80ed15ab338

    • Size

      435KB

    • MD5

      295f0a57a5e69b701359a80ed15ab338

    • SHA1

      9ea6a935e70bcdd864c882afb056c9a046389a05

    • SHA256

      d366619e696013333ed98b3aa03567638e56286ded05fb34da197481fa4d89fe

    • SHA512

      9fb8d61630780a5079d1bc647818bd0d9b707955e1428e3518333eb0213d7dcc1e28a8156c1845b90e6bf7b0f1cdad7870ddb6ed160c8ee04f2be9cdec22b56e

    • SSDEEP

      12288:IHn2eF7god+QEy5xV1EiQZbGx09L8CkMTOZ2:xwg1QEy5xV1xqMMT

    • Modifies WinLogon for persistence

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks