General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • Sample

    240406-1hta8scd94

  • MD5

    3b48c30ba23cb29292137d95f1712461

  • SHA1

    af660f0cbb50a5af4dcfc1f00821737bf90dc095

  • SHA256

    5f1ded6b39eecb4e4575ce1150a7d665a5c2a2df6a98ff331d586c13cdb1340e

  • SHA512

    b054f3a1f9118cca872560e28fc4cf9de10b9edc0c27a529fc07b835c82d0c5e53fad2e589950dcc1982c22f97ff85060c3bd258a00234cbf6620f0c73cdf1a7

  • SSDEEP

    49152:tvaET2mbaBm3/PxlL/uJIXpQ1H4CC1JbLoGdSu50THHB72eh2NT:tvDT2mbaBm3/PxlL/u+XpQ1H4Ce

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Enslotheya-26488.portmap.io:26488

Enslotheya-26488.portmap.io:4782

Enslotheya-26934.portmap.io:4782

Enslotheya-26934.portmap.io:26934

That1funnykid-39791.portmap.io:4782:4782

That1funnykid-39791.portmap.io:4782

Mutex

ec2ccd18-ac18-48f3-9617-54036c5add5d

Attributes
  • encryption_key

    796C698C50C0E8D256FFF2870E20F871851BAB42

  • install_name

    SubDir.exe

  • log_directory

    Logs

  • reconnect_delay

    1000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Client-built.exe

    • Size

      3.1MB

    • MD5

      3b48c30ba23cb29292137d95f1712461

    • SHA1

      af660f0cbb50a5af4dcfc1f00821737bf90dc095

    • SHA256

      5f1ded6b39eecb4e4575ce1150a7d665a5c2a2df6a98ff331d586c13cdb1340e

    • SHA512

      b054f3a1f9118cca872560e28fc4cf9de10b9edc0c27a529fc07b835c82d0c5e53fad2e589950dcc1982c22f97ff85060c3bd258a00234cbf6620f0c73cdf1a7

    • SSDEEP

      49152:tvaET2mbaBm3/PxlL/uJIXpQ1H4CC1JbLoGdSu50THHB72eh2NT:tvDT2mbaBm3/PxlL/u+XpQ1H4Ce

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks