General

  • Target

    54d2d49ad4366ffc67625a32754dee1d802c2780de2fd8d1d3c9609c0f584781

  • Size

    786KB

  • Sample

    240402-z8mqpsdh7z

  • MD5

    579ebb1309ad953fa0cb52c33b190baa

  • SHA1

    70ccb8c950d96a7e6c32d09c307227f271a627ba

  • SHA256

    54d2d49ad4366ffc67625a32754dee1d802c2780de2fd8d1d3c9609c0f584781

  • SHA512

    2b9d5413626358fae10013e2fd214ec5e66cf7c30665f896563a39f3564ef475cbda8de14cb6f9260d5f49b70a1967d1097c0f855e7985ebed78d2a0c25390d4

  • SSDEEP

    24576:6O7r0f+STf0QcR9CTsPsOcs1kITzH9FHB2PpO:6gAf+YMQceTs1t1/TzdFh20

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

83.147.53.145:3700

Mutex

QSR_MUTEX_6WQThXDTXhAO4iLfWV

Attributes
  • encryption_key

    rylGzNSu4oGtwQbffX0U

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      54d2d49ad4366ffc67625a32754dee1d802c2780de2fd8d1d3c9609c0f584781

    • Size

      786KB

    • MD5

      579ebb1309ad953fa0cb52c33b190baa

    • SHA1

      70ccb8c950d96a7e6c32d09c307227f271a627ba

    • SHA256

      54d2d49ad4366ffc67625a32754dee1d802c2780de2fd8d1d3c9609c0f584781

    • SHA512

      2b9d5413626358fae10013e2fd214ec5e66cf7c30665f896563a39f3564ef475cbda8de14cb6f9260d5f49b70a1967d1097c0f855e7985ebed78d2a0c25390d4

    • SSDEEP

      24576:6O7r0f+STf0QcR9CTsPsOcs1kITzH9FHB2PpO:6gAf+YMQceTs1t1/TzdFh20

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables packed with SmartAssembly

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks