General

  • Target

    f531e877860d55c756fb1ef584d1ed8a.bin

  • Size

    979KB

  • Sample

    240313-eb56kaca8w

  • MD5

    35c80c8393bd3f7f3b7345c61dd21d6b

  • SHA1

    fc2ae5615a88877b59f0af4e6a94579c2e70a5e4

  • SHA256

    b8c3ff5e368c1e11a4cd9b9f76fada25f740e6d0ca7acd5a75440cb75aab8dcd

  • SHA512

    66e060e9effca85616098afe1c11aaf46c171fe7c6b14b0e630d362d1e124da2642da9e5c8519e42b92989eb640287e82f2245b81cb1d0b5275289c0ff87f53f

  • SSDEEP

    24576:HvJOdWInr6ZXKmf0baMRdiOPwX8cK1ZMXZ6n:HcWMr6B0iO4k1GZ6n

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

PVP2

C2

clausetestbits.chickenkiller.com:64598

snoetestbits.ignorelist.com:64598

Mutex

QSR_MUTEX_ttz0i8tcYpqYyKkP3l

Attributes
  • encryption_key

    kxBjTYBAXsyGYsjsYZcL

  • install_name

    mcr.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    mcs

  • subdirectory

    mcr

Targets

    • Target

      8817121972c8d15861d1b458c7997f308458004b22e0704e1fc312e6253b0c15.exe

    • Size

      1.0MB

    • MD5

      f531e877860d55c756fb1ef584d1ed8a

    • SHA1

      5c136e17a56d8e204e6a91c91c9b5811aca94381

    • SHA256

      8817121972c8d15861d1b458c7997f308458004b22e0704e1fc312e6253b0c15

    • SHA512

      16fccdae8245d53bea59885626a335b406ec83d49c3a7b4347ee10b8c84efad201be3697f5eec0a8522b717339a9cb4a4dbca2af59825cee4592ea5d237d0201

    • SSDEEP

      24576:OfhQo/Nij51ail9rFV7cgWaYdepbPA+DP5M5wDQA49/w6oRNWg:OJD1G1HlzRwlYPrDPW5wEo

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks