General

  • Target

    UzpnR6.exe

  • Size

    1.2MB

  • Sample

    240412-s2jl5sbf92

  • MD5

    75c50dbf2c70ea6ca170513f77168f58

  • SHA1

    512cc32329eaa9fcd4c6e507ef2a26823a06f1ac

  • SHA256

    ffcedb5228f316086a811d910fb0e423ef4d16878369b64808a44ccc8f23ae26

  • SHA512

    63eb2eb4f531ba9a3f4ac857e3aabef5cea925a04dbaa7010c2418bcafd0948e77cce3426b8ffb30d860e5e17add310ea6189a23ab180b36147bec193254d457

  • SSDEEP

    24576:7o/ynHkLXGxxGApcTVcIWcRf+r31bfd+v3A0IOhb:7atGxg+cZP32zJVkA0Isb

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

us1.localto.net:38905

Mutex

abf2fea6-bc08-449e-9ce0-142ecb0a54c5

Attributes
  • encryption_key

    93B883D530A44E5A4457CCB3F463B613FCE53505

  • install_name

    Google.exe.exe

  • log_directory

    Log

  • reconnect_delay

    3000

  • startup_key

    AntimaIware Core Service

  • subdirectory

    SubDir

Targets

    • Target

      UzpnR6.exe

    • Size

      1.2MB

    • MD5

      75c50dbf2c70ea6ca170513f77168f58

    • SHA1

      512cc32329eaa9fcd4c6e507ef2a26823a06f1ac

    • SHA256

      ffcedb5228f316086a811d910fb0e423ef4d16878369b64808a44ccc8f23ae26

    • SHA512

      63eb2eb4f531ba9a3f4ac857e3aabef5cea925a04dbaa7010c2418bcafd0948e77cce3426b8ffb30d860e5e17add310ea6189a23ab180b36147bec193254d457

    • SSDEEP

      24576:7o/ynHkLXGxxGApcTVcIWcRf+r31bfd+v3A0IOhb:7atGxg+cZP32zJVkA0Isb

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks