General

  • Target

    0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50

  • Size

    6.0MB

  • Sample

    240501-treqwadb63

  • MD5

    4d05ea664b21ab95e888f456afa1a7a8

  • SHA1

    b4ddeb5b9c83cd8ff02004f52751d1298212a37c

  • SHA256

    0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50

  • SHA512

    05825d447257267ab9079f15f31565dc7bf88dc6293ccf9ca93bee67a63ef1a68ee29b5a54d33336a4864e326b90239fc34b13831e1243b1390a96f5214aad20

  • SSDEEP

    98304:aBDvEtGdg2pgJTJSCYLCWcpc2tlbWvKUeR+T8u0:aBDt9gJTXYGWcRtlivOA

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

93.123.85.108:4782

Mutex

e14b8f59-979b-4ebf-8602-dd3c4d6c301e

Attributes
  • encryption_key

    534734397C0FA9A1D28F061AD75DF4100BFF5787

  • install_name

    Msconfig.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50

    • Size

      6.0MB

    • MD5

      4d05ea664b21ab95e888f456afa1a7a8

    • SHA1

      b4ddeb5b9c83cd8ff02004f52751d1298212a37c

    • SHA256

      0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50

    • SHA512

      05825d447257267ab9079f15f31565dc7bf88dc6293ccf9ca93bee67a63ef1a68ee29b5a54d33336a4864e326b90239fc34b13831e1243b1390a96f5214aad20

    • SSDEEP

      98304:aBDvEtGdg2pgJTJSCYLCWcpc2tlbWvKUeR+T8u0:aBDt9gJTXYGWcRtlivOA

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks