General

  • Target

    2024-04-11_11ac8632bfdc6befcb2e450c8cfba019_icedid_xrat

  • Size

    4.7MB

  • Sample

    240411-aqbhaafc88

  • MD5

    11ac8632bfdc6befcb2e450c8cfba019

  • SHA1

    5a73cdcaf4f77f351fe19542d79a329e7c217bb4

  • SHA256

    071fed2284f56078a1f541e8f9915eb908548bef0548d8672e3237972423cbe9

  • SHA512

    e99e82bc8343fc405c884f8be89a88ea09eb8194331639e59b95d371be689269d6fc92b15430426878865f7e8962e4d76a8e0edc8589861dbdefd34eea83a68d

  • SSDEEP

    98304:mjN0SLc/vr22SsaNYfdPBldt6+dBcjHtKRJ6BMIbzZZIbzZR:HSI3M7jGIPsj

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

mx5.deitie.asia:4495

Mutex

ebbf737a-dddd-43dd-9b0a-74831302455d

Attributes
  • encryption_key

    F8516D89A1DFD78BD8FF575BBC3AE828B47FF0E1

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      2024-04-11_11ac8632bfdc6befcb2e450c8cfba019_icedid_xrat

    • Size

      4.7MB

    • MD5

      11ac8632bfdc6befcb2e450c8cfba019

    • SHA1

      5a73cdcaf4f77f351fe19542d79a329e7c217bb4

    • SHA256

      071fed2284f56078a1f541e8f9915eb908548bef0548d8672e3237972423cbe9

    • SHA512

      e99e82bc8343fc405c884f8be89a88ea09eb8194331639e59b95d371be689269d6fc92b15430426878865f7e8962e4d76a8e0edc8589861dbdefd34eea83a68d

    • SSDEEP

      98304:mjN0SLc/vr22SsaNYfdPBldt6+dBcjHtKRJ6BMIbzZZIbzZR:HSI3M7jGIPsj

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks