Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2bda8d6ee0e3ba6dbd8093272ca3b524

  • Size

    1.5MB

  • Sample

    231231-hbzwbsaaa6

  • MD5

    2bda8d6ee0e3ba6dbd8093272ca3b524

  • SHA1

    0d6243b098aff07091fc2caa8ca78ba6c5d285d3

  • SHA256

    5889d4b8dd5501b5bb0c31e99fbfba2f35cfcc44acee80f271404ba6e1046c23

  • SHA512

    8ce12e23a3dbb4a185a520a659e0095df4c4157b1d1b0b8eb783bbbe417c19c53ceeaf78fee4882e9a204b91b073e1731dfae50212ab379c0df303e0d56c6744

  • SSDEEP

    24576:KeV7YeExhf9aTXEuw+Plps89RjcyFShWVwjsgli:1KhwTzPlpjncDWG

Malware Config

Extracted

Family

quasar

Version

2.7.0.0

Botnet

NexionHackTOOLS

C2

lafeuilleocb.duckdns.org:1604

Mutex

SoOlYmLEeaTU8o2xXj

Attributes
  • encryption_key

    EO5tiig6EEUjYq6qUEGc

  • install_name

    NexiionHaclTOOLS.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    clses

Targets

    • Target

      2bda8d6ee0e3ba6dbd8093272ca3b524

    • Size

      1.5MB

    • MD5

      2bda8d6ee0e3ba6dbd8093272ca3b524

    • SHA1

      0d6243b098aff07091fc2caa8ca78ba6c5d285d3

    • SHA256

      5889d4b8dd5501b5bb0c31e99fbfba2f35cfcc44acee80f271404ba6e1046c23

    • SHA512

      8ce12e23a3dbb4a185a520a659e0095df4c4157b1d1b0b8eb783bbbe417c19c53ceeaf78fee4882e9a204b91b073e1731dfae50212ab379c0df303e0d56c6744

    • SSDEEP

      24576:KeV7YeExhf9aTXEuw+Plps89RjcyFShWVwjsgli:1KhwTzPlpjncDWG

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks