General

  • Target

    2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat

  • Size

    4.7MB

  • Sample

    240416-svqrwafa91

  • MD5

    bc03059f709594662ca9f9f0e33bc7bd

  • SHA1

    b7dc7b3175d7d99714280629c232788f7a7b8e18

  • SHA256

    5855aec848037736bc17bb493f326b5354022bba6c3767755dc8a415adc34e2d

  • SHA512

    60e44dd84172edb91e0d17b9cdd6feadc81502667c0316c7c5bd760d425e667cf2b05e648f7d68aead2911cd4dd28775866cea7e96101fd1514bb183f8514dac

  • SSDEEP

    98304:yCu0aTxAvr22SsaNYfdPBldt6+dBcjHtKRJ6BrIbzZ6IbzZR:TaN+M7jGI0Hj

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

mx5.deitie.asia:4495

Mutex

ebbf737a-dddd-43dd-9b0a-74831302455d

Attributes
  • encryption_key

    F8516D89A1DFD78BD8FF575BBC3AE828B47FF0E1

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat

    • Size

      4.7MB

    • MD5

      bc03059f709594662ca9f9f0e33bc7bd

    • SHA1

      b7dc7b3175d7d99714280629c232788f7a7b8e18

    • SHA256

      5855aec848037736bc17bb493f326b5354022bba6c3767755dc8a415adc34e2d

    • SHA512

      60e44dd84172edb91e0d17b9cdd6feadc81502667c0316c7c5bd760d425e667cf2b05e648f7d68aead2911cd4dd28775866cea7e96101fd1514bb183f8514dac

    • SSDEEP

      98304:yCu0aTxAvr22SsaNYfdPBldt6+dBcjHtKRJ6BrIbzZ6IbzZR:TaN+M7jGI0Hj

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks