Resubmissions

General

  • Target

    Client-built.bat

  • Size

    1.6MB

  • Sample

    240414-s6sevace71

  • MD5

    566c653ae6a704041aef596fce6d6a8c

  • SHA1

    da35608bf372a6113d941817a96bc3a17de9ef69

  • SHA256

    950153a1ef5114d609ca8fa79a28374c1f24ae84a8f90ef0a21fb7914639b4e9

  • SHA512

    98662e33f746dce81efe530f6544bf0d83eff2ff35d72bf54e105ef6de121108a4aa28d6e417d3c8e1584a5c0165f78b180574eaa489f11d7cd617b6d31e01c2

  • SSDEEP

    24576:5fdhc8KmdqCxAN6Wzmom6E7SMVePybPyDJq2Tg60xTmDADhXX9wEvIslVYglu0TW:5FhcZmgs4DANHXvhXNVnEyx8f

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

express-divorce.gl.at.ply.gg:22562

Mutex

6735a92b-88d2-4fbe-8e59-605a85072109

Attributes
  • encryption_key

    8681483EF512C654BECF205A0D74FFCA4B129A98

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Trapix Client Startup

  • subdirectory

    SubDir

Extracted

Family

xworm

Version

3.0

C2

traffic-collins.gl.at.ply.gg:24820

Mutex

uX6FapIHo24Z2JFZ

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7171419034:AAFHVFSxi6aVJohwci09QBtbjQ3QtjcLoBc/sendMessage?chat_id=6403260284

aes.plain

Targets

    • Target

      Client-built.bat

    • Size

      1.6MB

    • MD5

      566c653ae6a704041aef596fce6d6a8c

    • SHA1

      da35608bf372a6113d941817a96bc3a17de9ef69

    • SHA256

      950153a1ef5114d609ca8fa79a28374c1f24ae84a8f90ef0a21fb7914639b4e9

    • SHA512

      98662e33f746dce81efe530f6544bf0d83eff2ff35d72bf54e105ef6de121108a4aa28d6e417d3c8e1584a5c0165f78b180574eaa489f11d7cd617b6d31e01c2

    • SSDEEP

      24576:5fdhc8KmdqCxAN6Wzmom6E7SMVePybPyDJq2Tg60xTmDADhXX9wEvIslVYglu0TW:5FhcZmgs4DANHXvhXNVnEyx8f

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks