General

  • Target

    REAL-main.zip

  • Size

    55KB

  • Sample

    240407-blcp8agg6y

  • MD5

    27310bf2773dbce5c630aa347ad2f240

  • SHA1

    d90aefa6fa6944dd0cb8aa607976c1ca4640e005

  • SHA256

    30adb9517db673b5fb40a6008b26ccd5b1cfa6cd6ec5522deb76f0aaa297343e

  • SHA512

    dc41ce1ff3c676cdf8541b936a741fe74125563e694e4fe330a7edc4c1989cc136b8113d3a5216a831b299caceecddc602f2b3dfb3e4071b6a1caf32541ae7c4

  • SSDEEP

    1536:q0D/NYt+mgDhMNTSTSyYDdjeX5q451JDOvNt6u:DaEh1FYDdjN4zpOv36u

Malware Config

Extracted

Family

eaglerat

C2

127.0.0.1:9875

127.0.0.1:7788

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

vfvrrvrvrvrvrvr-35467.portmap.host:35467

Mutex

42c19677-a378-403b-8b5c-523aacc3fbe9

Attributes
  • encryption_key

    79CB68D716E5E9BC61C22CE57DCE4390CE3A4CF9

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      REAL-main/uhfwoioefejiofewjoifejofwjef.exe

    • Size

      64KB

    • MD5

      c306d26df4e2c3c4fe7136b0e3ec1b60

    • SHA1

      619b6a3db59fc2832cfad689cc09c9512f572246

    • SHA256

      38138ee80f9e69441d020cd399073bd9e7cf78bc563dc87fb937bef620a62361

    • SHA512

      daa499fbccc61d3d12351b849f2b9c883fdc3c7a4205e242800ce6fb14d59f55a8fd3e974f8fdeb2074b33fcdf79ca613d21999a481864b291125196b68d747d

    • SSDEEP

      1536:Dh3HaMmkefuYjsDAiENQVseNbIB2ngXPFo:d3GNjsD8YNOR9o

    • EagleRat

      An open source modular remote access trojan written in C#.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks