General

  • Target

    sample

  • Size

    18KB

  • Sample

    240407-zxq9raeg86

  • MD5

    1a142ed78fd54fe0b5427027ba902905

  • SHA1

    8335a20c0ff1c7e89a64a1b06787f6e1c21b7fc4

  • SHA256

    e89e17a5b8d5ab76a31f4404041fc1f9b5d2806c84dfce6034acb481133edb89

  • SHA512

    4ea1f9fd0fc3391dace74273997a33f387ed5bbe12338c4fe86323fb71cf2665fff59567e943a1b2c78e9202556f23a290999d50346daec84117b43004fd5e75

  • SSDEEP

    384:rMLpG3YtDpmReVoOs4EsN9ylKeGMzaU8HhhbO3BS137P2cdS2LjFrSE3+IVJCBXu:rMLOYtBVoOs4EsryI1MzQBhbORS1rP2i

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

6.tcp.ngrok.io:16799

Mutex

0c20af10-1b0a-4d0e-bbca-3718ee39e827

Attributes
  • encryption_key

    284202D1B7ED732612BB54048953C4453A2549F9

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    System32

  • subdirectory

    SubDir

Targets

    • Target

      sample

    • Size

      18KB

    • MD5

      1a142ed78fd54fe0b5427027ba902905

    • SHA1

      8335a20c0ff1c7e89a64a1b06787f6e1c21b7fc4

    • SHA256

      e89e17a5b8d5ab76a31f4404041fc1f9b5d2806c84dfce6034acb481133edb89

    • SHA512

      4ea1f9fd0fc3391dace74273997a33f387ed5bbe12338c4fe86323fb71cf2665fff59567e943a1b2c78e9202556f23a290999d50346daec84117b43004fd5e75

    • SSDEEP

      384:rMLpG3YtDpmReVoOs4EsN9ylKeGMzaU8HhhbO3BS137P2cdS2LjFrSE3+IVJCBXu:rMLOYtBVoOs4EsryI1MzQBhbORS1rP2i

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks