General

  • Target

    e51e1e4a21fef3fd98784683d80b5a02.bin

  • Size

    978KB

  • Sample

    240313-d7v5ssdg95

  • MD5

    186baf2a39e4b428fc7fa67640be9e6e

  • SHA1

    891a35a736af8135bcdd976b77072b4c1c98a9fa

  • SHA256

    c36140401c52d70a7d3bd98ac62093dfd2ab449cea98bc9aafbab6aa2062f57f

  • SHA512

    140eaf9709b8a41ec7226628cae1fcd18a14736c0906cb84ae133d18189fc21cd312f0370c02d18ccb06508bd181737e5e84b4bfc77e186842c59d6fe9a70583

  • SSDEEP

    24576:7linNLBoib5kIJVl4yGysDVqnR4tX6R9t:7KPNBJ34yGyUMne65

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

PVP2

C2

clausetestbits.chickenkiller.com:64598

snoetestbits.ignorelist.com:64598

Mutex

QSR_MUTEX_ttz0i8tcYpqYyKkP3l

Attributes
  • encryption_key

    kxBjTYBAXsyGYsjsYZcL

  • install_name

    mcr.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    mcs

  • subdirectory

    mcr

Targets

    • Target

      aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7.exe

    • Size

      1.0MB

    • MD5

      e51e1e4a21fef3fd98784683d80b5a02

    • SHA1

      309790387ec94c189ef94803a87fab335159657a

    • SHA256

      aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7

    • SHA512

      329922a8229f6e07f549e8919b4f6e1d60bf7d153b30487c8dde0116d8b31745f88d3f7bf20616d2a88276e8d2c24859e73440a03d4d2ecc08cd207678d84265

    • SSDEEP

      24576:A1QNv9uN9fFNd6AtvbGN/BCfKEPmxKVnRNWg:A1WluN9fZvbGyKFxg

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks