General
-
Target
https://gofile.io/d/uAGMKa
-
Sample
240517-qa43naab6y
Score
10/10
Malware Config
Extracted
Family
quasar
Version
1.4.1
Botnet
PoofNRico
C2
nahchris-49021.portmap.host:49021
Mutex
1a5d095f-2c59-4b3f-b053-5bd928b2e541
Attributes
-
encryption_key
ADBAB4BC16998E7E1913E54C27829FE47C72BE6D
-
install_name
PlutoBETAv2.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
DiscordUpdater.exe
-
subdirectory
PlutoBETAv2
Targets
-
-
Target
https://gofile.io/d/uAGMKa
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
An obfuscated cmd.exe command-line is typically used to evade detection.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1