Resubmissions

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • Sample

    240411-1qw24ahe6s

  • MD5

    3fdc51227758ce53069116625341569d

  • SHA1

    ee099a8afcab18d69cf2c3c2f5193ab5af33fa78

  • SHA256

    356fcec1d7e8ef7c51fa311d1e3013915aca1a44a586cf872abd5bcb927f6319

  • SHA512

    807b4a0f993672d07c580572fdf8dfeb4c443545449aa27c1e595850f2dda73ea7265844f6f9e53baa0a50b723160cfdaa244ef8464ebf032b8cbf28ac1a33ba

  • SSDEEP

    49152:HvnI22SsaNYfdPBldt698dBcjHWDQ0Dmzt0oGd6HTHHB72eh2NT:HvI22SsaNYfdPBldt6+dBcjHcQ0J

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

us1.localto.net:44771

Mutex

abf2fea6-bc08-449e-9ce0-142ecb0a54c5

Attributes
  • encryption_key

    93B883D530A44E5A4457CCB3F463B613FCE53505

  • install_name

    Google.exe.exe

  • log_directory

    Log

  • reconnect_delay

    3000

  • startup_key

    AntimaIware Core Service

  • subdirectory

    SubDir

Targets

    • Target

      Client-built.exe

    • Size

      3.1MB

    • MD5

      3fdc51227758ce53069116625341569d

    • SHA1

      ee099a8afcab18d69cf2c3c2f5193ab5af33fa78

    • SHA256

      356fcec1d7e8ef7c51fa311d1e3013915aca1a44a586cf872abd5bcb927f6319

    • SHA512

      807b4a0f993672d07c580572fdf8dfeb4c443545449aa27c1e595850f2dda73ea7265844f6f9e53baa0a50b723160cfdaa244ef8464ebf032b8cbf28ac1a33ba

    • SSDEEP

      49152:HvnI22SsaNYfdPBldt698dBcjHWDQ0Dmzt0oGd6HTHHB72eh2NT:HvI22SsaNYfdPBldt6+dBcjHcQ0J

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks