General

  • Target

    c1abb01a144a1e855ff3e360b2a8329c.bin

  • Size

    4.7MB

  • Sample

    240313-c8jbyscg95

  • MD5

    c1abb01a144a1e855ff3e360b2a8329c

  • SHA1

    9e40626658bbd8785cbf9eb579c5db9ebe2082db

  • SHA256

    cac4298cdde53f6551ed09e3653487db2c035f99170595fc34ee356a86c72b93

  • SHA512

    8b2d57fbe4b4a81a23bf9827941e5fb230edd17aa11441b73aa66e1522e321196ae32076f3516cc14a786f86fa949ae44fb6cce39c5d20d659afd04967b50475

  • SSDEEP

    98304:q8rJU7P47CtYVc7uc5mBexrzU1ZBZ7X7luqQAFDiX2hP1Z+ulQZ+76:qXoc7u4mBo4ZLXhuPAFDimhP1xe

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

chrome

C2

12432412412.hopto.org:4782

Mutex

QSR_MUTEX_6sfaGxuBDh3A5EdTFe

Attributes
  • encryption_key

    QPRe1YR5RuCsiP1u8cYv

  • install_name

    chrome.exe

  • log_directory

    Logs1

  • reconnect_delay

    3000

  • startup_key

    Startup

  • subdirectory

    sys

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Targets

    • Target

      c1abb01a144a1e855ff3e360b2a8329c.bin

    • Size

      4.7MB

    • MD5

      c1abb01a144a1e855ff3e360b2a8329c

    • SHA1

      9e40626658bbd8785cbf9eb579c5db9ebe2082db

    • SHA256

      cac4298cdde53f6551ed09e3653487db2c035f99170595fc34ee356a86c72b93

    • SHA512

      8b2d57fbe4b4a81a23bf9827941e5fb230edd17aa11441b73aa66e1522e321196ae32076f3516cc14a786f86fa949ae44fb6cce39c5d20d659afd04967b50475

    • SSDEEP

      98304:q8rJU7P47CtYVc7uc5mBexrzU1ZBZ7X7luqQAFDiX2hP1Z+ulQZ+76:qXoc7u4mBo4ZLXhuPAFDimhP1xe

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks