General

  • Target

    2024-04-11_7157bb4fd707d8feb0688e02de58e2f6_icedid_xrat

  • Size

    4.7MB

  • Sample

    240411-av26ssae21

  • MD5

    7157bb4fd707d8feb0688e02de58e2f6

  • SHA1

    f645fd81e17916034701e03e94109835bdaaa315

  • SHA256

    f16b09c1b311892dbe11c466c2bf4393f2750e1365e9d3c59983e7b5c03a0734

  • SHA512

    b665018d4747eeeeba89bbf6620e45478de53e27d24406270723a2c4607ec52f67457a3f8b070203c7a4ae69153fe701f7e515a28248791ed6406bdbc36ec11b

  • SSDEEP

    98304:eYD10K/8fvr22SsaNYfdPBldt6+dBcjHtKRJ6BcIbzZFIbzZR:CKUXM7jGIfAj

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

mx5.deitie.asia:4495

Mutex

ebbf737a-dddd-43dd-9b0a-74831302455d

Attributes
  • encryption_key

    F8516D89A1DFD78BD8FF575BBC3AE828B47FF0E1

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      2024-04-11_7157bb4fd707d8feb0688e02de58e2f6_icedid_xrat

    • Size

      4.7MB

    • MD5

      7157bb4fd707d8feb0688e02de58e2f6

    • SHA1

      f645fd81e17916034701e03e94109835bdaaa315

    • SHA256

      f16b09c1b311892dbe11c466c2bf4393f2750e1365e9d3c59983e7b5c03a0734

    • SHA512

      b665018d4747eeeeba89bbf6620e45478de53e27d24406270723a2c4607ec52f67457a3f8b070203c7a4ae69153fe701f7e515a28248791ed6406bdbc36ec11b

    • SSDEEP

      98304:eYD10K/8fvr22SsaNYfdPBldt6+dBcjHtKRJ6BcIbzZFIbzZR:CKUXM7jGIfAj

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks