Overview

overview

10

Static

static

10

Client.exe

windows7-x64

10

Client.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Client.exe

  • Size

    8.2MB

  • Sample

    240115-cxevdsgef5

  • MD5

    1e5e92049ee3411cb606a56a535987b8

  • SHA1

    9f3c701ede9d7c4ffec03f8ee02d5161e1c41b80

  • SHA256

    3b284744b856c3cf5d445be60cb327bcf5b69b844b80ba8f1ada2130e426eca8

  • SHA512

    a119c29a53fc44ee430f24cd183917f8b1ec1fd83b9fc1a3d1dad0b1a4f19a0bb6fd532fb7f298ee18388502b34c50ab06232f7b8122b46674945459cc8442fa

  • SSDEEP

    98304:Nvm42pda6D+/PjlLOlZyQipV0TRJ6uYcRQK1Ir9cX2wuAzQ2lz8kgHjBAHvEIxwu:hyOpUXflzEHjB7h306I

Score
10/10
quasarupdateevasionspywarethemidatrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

UPDATE

C2

armamagedomupdate.ddns.net:4782

127.0.0.1:4782

186.222.176.105:4782
Mutex

1b6d7fed-1a52-4066-b013-42889840485c

Attributes
  • encryption_key

    C77872F68B89499AA5521BDFC1B6CC41F2578CAE

  • install_name

    UPDATE.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    AutoUpdate

  • subdirectory

    SubDir

Targets

    • Target

      Client.exe

    • Size

      8.2MB

    • MD5

      1e5e92049ee3411cb606a56a535987b8

    • SHA1

      9f3c701ede9d7c4ffec03f8ee02d5161e1c41b80

    • SHA256

      3b284744b856c3cf5d445be60cb327bcf5b69b844b80ba8f1ada2130e426eca8

    • SHA512

      a119c29a53fc44ee430f24cd183917f8b1ec1fd83b9fc1a3d1dad0b1a4f19a0bb6fd532fb7f298ee18388502b34c50ab06232f7b8122b46674945459cc8442fa

    • SSDEEP

      98304:Nvm42pda6D+/PjlLOlZyQipV0TRJ6uYcRQK1Ir9cX2wuAzQ2lz8kgHjBAHvEIxwu:hyOpUXflzEHjB7h306I

    Score
    10/10
    quasarupdateevasionspywarethemidatrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks