Overview

overview

10

Static

static

10

0x000b0000...60.exe

windows7-x64

10

0x000b0000...60.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0x000b0000000122fe-60.dat

  • Size

    288KB

  • Sample

    240302-khyb7acb74

  • MD5

    473dada2898cd0c3f7bb193e784211a4

  • SHA1

    f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

  • SHA256

    827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

  • SHA512

    3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

  • SSDEEP

    6144:gRSjIXAnZQel5w7T4P5Kq+SMv0VGb7bDcllbkEq:p4AZrg7g9zVGkllbkx

Score
10/10
quasarstoragepersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

storage

C2

xmarvel.ddns.net:4782

2.58.56.188:4782
Mutex

Slbw7KtgA7WecQEqcR

Attributes
  • encryption_key

    BTg0dEybEXwn6MM90CP2

  • install_name

    ccleaner.exe

  • log_directory

    windowfirewalls

  • reconnect_delay

    1

  • startup_key

    windowsfirewall.msc

  • subdirectory

    windowsfirewall

Extracted

Family

quasar

Attributes
  • reconnect_delay

    1

Targets

    • Target

      0x000b0000000122fe-60.dat

    • Size

      288KB

    • MD5

      473dada2898cd0c3f7bb193e784211a4

    • SHA1

      f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

    • SHA256

      827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

    • SHA512

      3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

    • SSDEEP

      6144:gRSjIXAnZQel5w7T4P5Kq+SMv0VGb7bDcllbkEq:p4AZrg7g9zVGkllbkx

    Score
    10/10
    quasarstoragepersistencespywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks