Resubmissions

06-04-2024 19:54

240406-ymvzhshd8w 10

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • Sample

    240406-ymvzhshd8w

  • MD5

    13939d00b040ea20c7d18f289fc45fbc

  • SHA1

    f28f0847bffc18c66d73123117980917000098ad

  • SHA256

    00f7e412a5245b8756c569793e2254831848b2507f0a80feec9b37377a79630e

  • SHA512

    80ed3ad3e2ce9650219af10801e110d0c10b2a11b624efc4638d29e63cfea1e06735cd5f0226995a908985e1b494a372593acdb854072009277c5a6b730f0100

  • SSDEEP

    49152:Cvve821/aQWl8P0lSk3aKA3Z+nkjOEEfs8k/HYqoGdKHTHHB72eh2NT:Cvm821/aQWl8P0lSk3DA3Z+nkjO2p6

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Enslotheya-26488.portmap.io:26488

Enslotheya-26488.portmap.io:4782

Mutex

62898bf2-d740-4fac-9262-e5bd50e7c227

Attributes
  • encryption_key

    796C698C50C0E8D256FFF2870E20F871851BAB42

  • install_name

    SubDir.exe

  • log_directory

    Logs

  • reconnect_delay

    1000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Client-built.exe

    • Size

      3.1MB

    • MD5

      13939d00b040ea20c7d18f289fc45fbc

    • SHA1

      f28f0847bffc18c66d73123117980917000098ad

    • SHA256

      00f7e412a5245b8756c569793e2254831848b2507f0a80feec9b37377a79630e

    • SHA512

      80ed3ad3e2ce9650219af10801e110d0c10b2a11b624efc4638d29e63cfea1e06735cd5f0226995a908985e1b494a372593acdb854072009277c5a6b730f0100

    • SSDEEP

      49152:Cvve821/aQWl8P0lSk3aKA3Z+nkjOEEfs8k/HYqoGdKHTHHB72eh2NT:Cvm821/aQWl8P0lSk3DA3Z+nkjO2p6

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks