General

  • Target

    Unify.exe

  • Size

    409KB

  • Sample

    240502-a7h9fseb95

  • MD5

    54db32b9d5cab2c1dea1907cf4712b1d

  • SHA1

    812f28828735a92effd2187e155d9ed3f0e915b3

  • SHA256

    e7d8e1b13c833d49fcc46a03d34ff18b7c93bd86bd0764828fa68d3d9eed2bbe

  • SHA512

    6a13febe964f3f639e7d017f58c2f6631c18bea5a1ac716efa49a1c5306ecd2708cf92f133a9fcd8dc22850e661522a98f23c0fb7cb09752bb96a6d50bb69163

  • SSDEEP

    6144:0MP9p1kREG60olVji9QzNg/IiSjFqBFK6WbMN6Y44vZqJBWAb7yMTj:fpiREGJ2ji9QyAhK/N6gBqJBj7yMTj

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

192.168.1.20:4782

localhost:4782

Mutex

$Sxr-3vDee7FzoJnhqjuE3n

Attributes
  • encryption_key

    hwZQsCIcvotNKosjYueb

  • install_name

    $srr-powershell.exe

  • log_directory

    Logs

  • reconnect_delay

    1000

  • startup_key

    $srr-mstha

  • subdirectory

    Windows

Targets

    • Target

      Unify.exe

    • Size

      409KB

    • MD5

      54db32b9d5cab2c1dea1907cf4712b1d

    • SHA1

      812f28828735a92effd2187e155d9ed3f0e915b3

    • SHA256

      e7d8e1b13c833d49fcc46a03d34ff18b7c93bd86bd0764828fa68d3d9eed2bbe

    • SHA512

      6a13febe964f3f639e7d017f58c2f6631c18bea5a1ac716efa49a1c5306ecd2708cf92f133a9fcd8dc22850e661522a98f23c0fb7cb09752bb96a6d50bb69163

    • SSDEEP

      6144:0MP9p1kREG60olVji9QzNg/IiSjFqBFK6WbMN6Y44vZqJBWAb7yMTj:fpiREGJ2ji9QyAhK/N6gBqJBj7yMTj

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

5
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Command and Control

Web Service

1
T1102

Tasks