General

  • Target

    d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833

  • Size

    3.1MB

  • Sample

    240412-cdlhtsca33

  • MD5

    3396e77d0d043554c7f857a1249c75fe

  • SHA1

    d3de2678e85f4ad63e5254782a58a85035aafecc

  • SHA256

    d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833

  • SHA512

    3128c03a0465d03127cf6df186533993e2337dce8ca821d8dbcaecd08c7ff7a6d2646de150b7afbe20641e4eb08104342813dfd2fe50346c8b47d40deedc67a4

  • SSDEEP

    49152:WvnG42pda6D+/PjlLOlg6yQipV7tjMpETOk/FLoGd7RTHHB72eh2NT:WvG42pda6D+/PjlLOlZyQipVhj9

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

10.10.8.36:4782

0.tcp.eu.ngrok.io:19992

tcp://5.tcp.eu.ngrok.io:10477

Mutex

570f8f63-dc8c-471b-b7f5-710ac819d722

Attributes
  • encryption_key

    BB0B2DE4F1126E98797D1ABADF2CCEC47E72B5FD

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    150

  • startup_key

    Platonus

  • subdirectory

    SubDir

Targets

    • Target

      d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833

    • Size

      3.1MB

    • MD5

      3396e77d0d043554c7f857a1249c75fe

    • SHA1

      d3de2678e85f4ad63e5254782a58a85035aafecc

    • SHA256

      d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833

    • SHA512

      3128c03a0465d03127cf6df186533993e2337dce8ca821d8dbcaecd08c7ff7a6d2646de150b7afbe20641e4eb08104342813dfd2fe50346c8b47d40deedc67a4

    • SSDEEP

      49152:WvnG42pda6D+/PjlLOlg6yQipV7tjMpETOk/FLoGd7RTHHB72eh2NT:WvG42pda6D+/PjlLOlZyQipVhj9

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks