General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • Sample

    240410-m8apxsge6x

  • MD5

    3f8eed5b849f82d1d648309d4dff4259

  • SHA1

    84afa96423792de3ec490807adf9ed91f3dbe941

  • SHA256

    eaa750c492fa799eb0b19e7d13a265c5091593d8b6c90a7c50b50c8c84469dad

  • SHA512

    ec4e36ec67e6fc355bfec6d5d197c8a35e9d0a3ca2dd412ce90687a42e3776cd8cf910da3d7af1834b808fc76d3569ad81e63e3f1d5d469966db7d318b572ba9

  • SSDEEP

    49152:CvvY52fyaSZOrPWluWBuGG5g5hAfDobRcLoGd3FWTHHB72eh2NT:CvA52fyaSZOrPWluWBDG5g5hAfDL

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Quasar:4782

Mutex

9b67176b-b611-43bb-9088-e3361aae729e

Attributes
  • encryption_key

    8E11C43A418F21B478F3A8A93EDFD963316D550B

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    File Explorer

  • subdirectory

    SubDir

Targets

    • Target

      Client-built.exe

    • Size

      3.1MB

    • MD5

      3f8eed5b849f82d1d648309d4dff4259

    • SHA1

      84afa96423792de3ec490807adf9ed91f3dbe941

    • SHA256

      eaa750c492fa799eb0b19e7d13a265c5091593d8b6c90a7c50b50c8c84469dad

    • SHA512

      ec4e36ec67e6fc355bfec6d5d197c8a35e9d0a3ca2dd412ce90687a42e3776cd8cf910da3d7af1834b808fc76d3569ad81e63e3f1d5d469966db7d318b572ba9

    • SSDEEP

      49152:CvvY52fyaSZOrPWluWBuGG5g5hAfDobRcLoGd3FWTHHB72eh2NT:CvA52fyaSZOrPWluWBDG5g5hAfDL

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Registers COM server for autorun

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks