General

  • Target

    Cyberious.exe

  • Size

    16.8MB

  • Sample

    240404-lw9stace32

  • MD5

    0cdf30cd1ca6564216a6cf1dc5d8315f

  • SHA1

    5d5a7e25c942b2bc62d942282cdef7e082f799a9

  • SHA256

    3e534ef30466b4bd109e8c23d3a91a2302164a983aa9131a5d3df7cbc8cd8730

  • SHA512

    90f2205e5b5f1ac1236808415885bb05306340a224bd6510861cfa461741316c4dc2d4c5333b53d9d5fdd37c7ec4713fd7eb1c620455fc5966c5059b23a48b29

  • SSDEEP

    393216:lAgi0xJWSU/CeMIHF3Jmeu21pNHR1l3kkn0TV1lwksmZ095:lzPv/eH/meL1pNHN3z2qks+c

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

10.9.46.166:1333

10.9.34.66:1333

NareReti-40382.portmap.host:40382

Mutex

1f3547a3-6112-47d5-9c48-4fb1bd3d6344

Attributes
  • encryption_key

    CE886B4F24E457903274F7555F940215147255CD

  • install_name

    updater.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Google Chrome

  • subdirectory

    Chrome

Targets

    • Target

      Cyberious.exe

    • Size

      16.8MB

    • MD5

      0cdf30cd1ca6564216a6cf1dc5d8315f

    • SHA1

      5d5a7e25c942b2bc62d942282cdef7e082f799a9

    • SHA256

      3e534ef30466b4bd109e8c23d3a91a2302164a983aa9131a5d3df7cbc8cd8730

    • SHA512

      90f2205e5b5f1ac1236808415885bb05306340a224bd6510861cfa461741316c4dc2d4c5333b53d9d5fdd37c7ec4713fd7eb1c620455fc5966c5059b23a48b29

    • SSDEEP

      393216:lAgi0xJWSU/CeMIHF3Jmeu21pNHR1l3kkn0TV1lwksmZ095:lzPv/eH/meL1pNHN3z2qks+c

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Creates new service(s)

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks