General

  • Target

    8d007eefc7a40e5db7c83d900b3522e68782cd8d8d7b02768c774412b847ce6f

  • Size

    2.0MB

  • Sample

    240402-h535vabc86

  • MD5

    6c070805d0f04cc04cbabcf5c1e243df

  • SHA1

    b4668ac9d9d4b64a4d9b9c3615a2bccebf408b75

  • SHA256

    8d007eefc7a40e5db7c83d900b3522e68782cd8d8d7b02768c774412b847ce6f

  • SHA512

    80914cbbd3fe3bd94f1ad48a92f0adb75291817cd2993e428df9da306bbf305773d64188b79c60a0ade1383b7f7c2f87af29bbef4e7a6f2695cee602fca5da39

  • SSDEEP

    12288:ZCxv4m9vTKp5CU+b1GQ7wywPRQVZOZsNoo/zbMXQTGcCsqB9SNOuAxAEUV9l+:O5TKeU+wQ7wyuRaZEuG3q2IV9l

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

45.88.186.209:4782

Mutex

e70efcae-9ec5-4682-aa19-15651d4d8cc8

Attributes
  • encryption_key

    4EF1547B5DB5058DCCEB6A60D48A54C35026D8D5

  • install_name

    gfhgfgjgf.exe

  • log_directory

    dfdfsf

  • reconnect_delay

    3000

  • startup_key

    hgfhjjhgj

  • subdirectory

    ghghghfg

Targets

    • Target

      8d007eefc7a40e5db7c83d900b3522e68782cd8d8d7b02768c774412b847ce6f

    • Size

      2.0MB

    • MD5

      6c070805d0f04cc04cbabcf5c1e243df

    • SHA1

      b4668ac9d9d4b64a4d9b9c3615a2bccebf408b75

    • SHA256

      8d007eefc7a40e5db7c83d900b3522e68782cd8d8d7b02768c774412b847ce6f

    • SHA512

      80914cbbd3fe3bd94f1ad48a92f0adb75291817cd2993e428df9da306bbf305773d64188b79c60a0ade1383b7f7c2f87af29bbef4e7a6f2695cee602fca5da39

    • SSDEEP

      12288:ZCxv4m9vTKp5CU+b1GQ7wywPRQVZOZsNoo/zbMXQTGcCsqB9SNOuAxAEUV9l+:O5TKeU+wQ7wyuRaZEuG3q2IV9l

    • Detect ZGRat V1

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks