General

  • Target

    ImageLoggerV12.1.exe

  • Size

    67.2MB

  • Sample

    240426-vy77fahc71

  • MD5

    b20331fa046509f76ceda8e27aeb77b6

  • SHA1

    14c1ba0796eb3e96743b53c37bfb281483ba3df9

  • SHA256

    5ec5e53e7ce7c77ae1c320e8342f4f341eb8cda9445bfd5d96d57a6b449ab2a5

  • SHA512

    ecd77c9387bc2088be542b8be151e84fa710a414ccc6ea9a810aad968301d64ae004d5e721266a38d65993943bbcfd9b6a4200d6bd3f546d21df77e82fa01908

  • SSDEEP

    786432:+IsHSlubkIuIiRBE5EXssNvKtQXXizbsjwAWMhirL2rskj+V8MiCKEa27pW3j0hX:uyjpIiRLhibvKS703gXrlx79mK+S

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

NareReti-40382.portmap.host:40382

Mutex

1f3547a3-6112-47d5-9c48-4fb1bd3d6344

Attributes
  • encryption_key

    CE886B4F24E457903274F7555F940215147255CD

  • install_name

    CasNic.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Google Chrome

  • subdirectory

    SubDir

Targets

    • Target

      ImageLoggerV12.1.exe

    • Size

      67.2MB

    • MD5

      b20331fa046509f76ceda8e27aeb77b6

    • SHA1

      14c1ba0796eb3e96743b53c37bfb281483ba3df9

    • SHA256

      5ec5e53e7ce7c77ae1c320e8342f4f341eb8cda9445bfd5d96d57a6b449ab2a5

    • SHA512

      ecd77c9387bc2088be542b8be151e84fa710a414ccc6ea9a810aad968301d64ae004d5e721266a38d65993943bbcfd9b6a4200d6bd3f546d21df77e82fa01908

    • SSDEEP

      786432:+IsHSlubkIuIiRBE5EXssNvKtQXXizbsjwAWMhirL2rskj+V8MiCKEa27pW3j0hX:uyjpIiRLhibvKS703gXrlx79mK+S

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks