General

  • Target

    fe4ed0e2c6d830596d168ee32dc8a44239ca1705635187f67a0e40234c0f4c14

  • Size

    180KB

  • Sample

    240417-rcq49aah95

  • MD5

    0f97ded4f9f47b2e869905c0d09825cc

  • SHA1

    9c299a70a7371d1203f0e38e8d71ee1436f20808

  • SHA256

    fe4ed0e2c6d830596d168ee32dc8a44239ca1705635187f67a0e40234c0f4c14

  • SHA512

    50b713a2b014ca9c3bd6234d93bdf93ab69abc42f6d1da7dd63fd7bf10e3ccdc8c05f0779d973c6e0f0e842d5043607d4fa7d80dd0c21ecb9fffa56be798187c

  • SSDEEP

    3072:GZ+S8N2b0QchgAem/QFQn0p/OPqeMSyMZqMpJjiqDZ59BGEYB91nNl2zrwAcL/Nt:g+S8I4om/xn0EPuMq2JjiqL9RYlNlLNt

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

qztadmin.duckdns.org:9782

Mutex

QSR_MUTEX_YMblzlA3rm38L7nnxQ

Attributes
  • encryption_key

    mDf8ODHd9XwqMsIxpY8F

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      83892117f96867db66c1e6676822a4c0d6691cde60449ee47457f4cc31410fce.exe

    • Size

      348KB

    • MD5

      0a7dccc3c8dd419560ac4bdb8440b77a

    • SHA1

      74a2fe4ca4888ac962b1737af6dc2b58f78048c7

    • SHA256

      83892117f96867db66c1e6676822a4c0d6691cde60449ee47457f4cc31410fce

    • SHA512

      637b9a964954b52986eea5fecc4093ac57f7bff690220bc0f0785c043d327259ba2c372b2c0fba1ec5588fc66bda593009fb8f74b3915fc3561e7fda9b92787c

    • SSDEEP

      6144:+rNHXf500MsbudVpDxWUb2Nsto/pKujjY/R3K:Yd505dVyrsWMuvYZ3K

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix

Tasks