Overview

overview

10

Static

static

3

Timsistem_...16.exe

windows7-x64

10

Timsistem_...16.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    501dfc869027ce8fd3329fbd9a79612dJaffaCakes118.bin

  • Size

    490KB

  • Sample

    240517-29wfcagd53

  • MD5

    501dfc869027ce8fd3329fbd9a79612d

  • SHA1

    278bc6d4d47d30f8bb166294aeaa5abf8e3b8af8

  • SHA256

    a700c208e84d5427566a321f204bce16f8b7d5a3655bd76b6637920f46289172

  • SHA512

    63cb9741e154789487b7c08a7ab8a79d0e73f2e88d6fdf283d920d25efedd2eaf6a6c6015c0a821e2cbe77c34151c9d457c396a31e736a7ba405bdf17c435d41

  • SSDEEP

    12288:lKTiROXSsD3dsZ490rARMq+YDP1F1auHSIL+klXg/J3/cFd:lK/ViZcRiGnHH6MXgCFd

Score
10/10
quasaralexia-stationspywaretrojanupx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Alexia-Station

C2

79.134.225.69:4782

Mutex

QSR_MUTEX_UR8lkLH1hfB8BFkqFf

Attributes
  • encryption_key

    gO53Ewkmsbtfm9kB1s5G

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Java Update

  • subdirectory

    SubDir

Targets

    • Target

      Timsistem_Product_Specifications - 2020.07.16.exe

    • Size

      740KB

    • MD5

      bf7fe4334d0b4363d70bd997460588a3

    • SHA1

      dcba20338c5dbde13a8189f0d154e3d650cca99c

    • SHA256

      bbf62b7d87429bb832abb5c8f37635c05be6724eaab9afd13a7780595919f3a2

    • SHA512

      be3739a91180dfc1c391045fe2f9a27be3303f6a8c042cee8af7c0bca73483768c33dd806a464a7fdee1b4203135b1fde132a3edc86bd3122ba83f4b993ac4fa

    • SSDEEP

      12288:E1bl3SKiQ9X5M1EL6GgmV5hT82Hnb6tY1CoO4SOSWGbz3hLkbLvhu:OVoQ9EWe23Q0b6tYbO4e3t

    Score
    10/10
    quasaralexia-stationspywaretrojanupx

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks