General

  • Target

    Loki.zip

  • Size

    27.1MB

  • Sample

    240426-3tf66aee97

  • MD5

    4004691de83891280197c8e2afc533c6

  • SHA1

    b5415376d2c5f6c4393df262326d547fa797c984

  • SHA256

    7426bfffbdfa22967e0d7570ba07fb0c821d0b65ba6aa159b3798906bf3846cc

  • SHA512

    1fc784e09a326b085a1ef15cebf9fe531e3edbbbaba179ec6bba1ba2ef3fd0028de742d21072fede224f5614b3b8a50ccd14bf1813072529e1aab64973a5b370

  • SSDEEP

    786432:XEyQ7j+e56WR4WJGL48fJKfV0cKCCBwIRMGV/sjGRD9XDoa:0yQH+e5NH4LTJ20vbBBRMGV/Nh9Ma

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.0.102:4782

Mutex

eac23e77-c75f-454e-844b-09c00c9fa1bc

Attributes
  • encryption_key

    E691C3454CA7E584A0CAEACC33DE2648D0070D50

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Loki/install.exe

    • Size

      3.1MB

    • MD5

      888ceac60d45c11a1a8da876c3555247

    • SHA1

      e286dd46646036fbe529a4fed2ceff41f8f00e3f

    • SHA256

      b862d153c5fe9106983a79821c87ab071bf9a7c2492ca378764533cd05784815

    • SHA512

      daa02e6ae8fd9c17b25b93bfd5eec539a6bbc081dbbb0a5507dc9f0019838e83974f9b1b55981318af3c5e3445c3e754cb16a1a83f57e2cbf3115c34f1f3f34b

    • SSDEEP

      49152:yvFt62XlaSFNWPjljiFa2RoUYIiTIcEiOTk/fLoGd0THHB72eh2NT:yv362XlaSFNWPjljiFXRoUYIeIC

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks