Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7.exe

  • Size

    1.0MB

  • Sample

    240312-djhjssgd92

  • MD5

    e51e1e4a21fef3fd98784683d80b5a02

  • SHA1

    309790387ec94c189ef94803a87fab335159657a

  • SHA256

    aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7

  • SHA512

    329922a8229f6e07f549e8919b4f6e1d60bf7d153b30487c8dde0116d8b31745f88d3f7bf20616d2a88276e8d2c24859e73440a03d4d2ecc08cd207678d84265

  • SSDEEP

    24576:A1QNv9uN9fFNd6AtvbGN/BCfKEPmxKVnRNWg:A1WluN9fZvbGyKFxg

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

PVP2

C2

clausetestbits.chickenkiller.com:64598

snoetestbits.ignorelist.com:64598

Mutex

QSR_MUTEX_ttz0i8tcYpqYyKkP3l

Attributes
  • encryption_key

    kxBjTYBAXsyGYsjsYZcL

  • install_name

    mcr.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    mcs

  • subdirectory

    mcr

Targets

    • Target

      aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7.exe

    • Size

      1.0MB

    • MD5

      e51e1e4a21fef3fd98784683d80b5a02

    • SHA1

      309790387ec94c189ef94803a87fab335159657a

    • SHA256

      aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7

    • SHA512

      329922a8229f6e07f549e8919b4f6e1d60bf7d153b30487c8dde0116d8b31745f88d3f7bf20616d2a88276e8d2c24859e73440a03d4d2ecc08cd207678d84265

    • SSDEEP

      24576:A1QNv9uN9fFNd6AtvbGN/BCfKEPmxKVnRNWg:A1WluN9fZvbGyKFxg

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables packed with ConfuserEx Mod

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks