General

  • Target

    experimentingnew.exe

  • Size

    3.1MB

  • Sample

    240420-jg3pvabg85

  • MD5

    399bbb3dc58bcc8cc2fe9aef9a3ebac5

  • SHA1

    37be03a9765a8b321c0ddf2ff00acdb106502b7b

  • SHA256

    821f6a7afc4b55e5b636deb590d71b6e5807ad2875cb7feca4e47e1dec7c3d98

  • SHA512

    98e70c54329089015535e30f32006ef8731e69dd32234590ef7f8388403cd68e86c5a4030083f8c510c46c7d0f995fe3a9a82db01a0b6fc288ea7eb5db5fa64f

  • SSDEEP

    49152:LvXlL26AaNeWgPhlmVqvMQ7XSKkZxNESEYk/iMLoGdHCTHHB72eh2NT:LvVL26AaNeWgPhlmVqkQ7XSKex/S3

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

0.tcp.eu.ngrok.io:15209

Mutex

2c47ae55-417f-4523-8ffe-361bacffde6b

Attributes
  • encryption_key

    5921775375700E0556963615862881AFA90D9F9F

  • install_name

    Microsoft Windows Search Indexer.exe

  • log_directory

    Discord

  • reconnect_delay

    3000

  • startup_key

    Runtime Broker

  • subdirectory

    svchost

Targets

    • Target

      experimentingnew.exe

    • Size

      3.1MB

    • MD5

      399bbb3dc58bcc8cc2fe9aef9a3ebac5

    • SHA1

      37be03a9765a8b321c0ddf2ff00acdb106502b7b

    • SHA256

      821f6a7afc4b55e5b636deb590d71b6e5807ad2875cb7feca4e47e1dec7c3d98

    • SHA512

      98e70c54329089015535e30f32006ef8731e69dd32234590ef7f8388403cd68e86c5a4030083f8c510c46c7d0f995fe3a9a82db01a0b6fc288ea7eb5db5fa64f

    • SSDEEP

      49152:LvXlL26AaNeWgPhlmVqvMQ7XSKkZxNESEYk/iMLoGdHCTHHB72eh2NT:LvVL26AaNeWgPhlmVqkQ7XSKex/S3

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks