General

  • Target

    Double.bat

  • Size

    1.6MB

  • Sample

    240413-wk7t7afc78

  • MD5

    948386c98184781df692e5f11ff558f7

  • SHA1

    e8619faf83446ea78e456920834579bbf71aea20

  • SHA256

    7da1336453539461c6b6630200259214c3fba0e458c21e15e26545c0816f6c7f

  • SHA512

    0023368d89bf5951b3fc87e4ea8fb84e02a87c0917bd5aef0d5bcc00d5a9de616f4922956a015aa7f748299813876a290b545a309116878506c89de3387148ba

  • SSDEEP

    24576:wdgbyfVoiqSFeKsWoIk3GpiYJKVvlBU4Lr/QIEeL86NKuhRu9xyz2XP9d/qi7q:J4ogzBYGUvrxrl44RQyz2fZq

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

express-divorce.gl.at.ply.gg:22562

Mutex

6735a92b-88d2-4fbe-8e59-605a85072109

Attributes
  • encryption_key

    8681483EF512C654BECF205A0D74FFCA4B129A98

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Trapix Client Startup

  • subdirectory

    SubDir

Extracted

Family

xworm

Version

3.0

C2

traffic-collins.gl.at.ply.gg:24820

Mutex

uX6FapIHo24Z2JFZ

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7171419034:AAFHVFSxi6aVJohwci09QBtbjQ3QtjcLoBc/sendMessage?chat_id=6403260284

aes.plain

Targets

    • Target

      Double.bat

    • Size

      1.6MB

    • MD5

      948386c98184781df692e5f11ff558f7

    • SHA1

      e8619faf83446ea78e456920834579bbf71aea20

    • SHA256

      7da1336453539461c6b6630200259214c3fba0e458c21e15e26545c0816f6c7f

    • SHA512

      0023368d89bf5951b3fc87e4ea8fb84e02a87c0917bd5aef0d5bcc00d5a9de616f4922956a015aa7f748299813876a290b545a309116878506c89de3387148ba

    • SSDEEP

      24576:wdgbyfVoiqSFeKsWoIk3GpiYJKVvlBU4Lr/QIEeL86NKuhRu9xyz2XP9d/qi7q:J4ogzBYGUvrxrl44RQyz2fZq

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Enterprise v15

Tasks