Resubmissions

17-05-2024 13:12

240517-qft5msac5z 10

17-05-2024 13:09

240517-qdv9xsac4s 10

General

  • Target

    PlutoBETAV2.rar

  • Size

    17.3MB

  • Sample

    240517-qdv9xsac4s

  • MD5

    f5826a96fb92493dc08adfea4e762273

  • SHA1

    b756604b32dcef3aee64e8f338438c92e194520d

  • SHA256

    dce8aa2451ab2695e3bc88e6a7aa6b4bc0caea02d9b20995a2a2ffba17094139

  • SHA512

    481342db1076482767df9dcef0c1696b381c83da04e6e16fff8fc9eaba9a5cbe1f507c08ab96ddb6f214b85cfdb48f67b8f1ccd36d4ce43ad45fc7e8e57ccffc

  • SSDEEP

    393216:joAreTqwqv2Ztrc0MvGXkOyMhds3mbqH0agLHCfvR+VQIMR:jVreutvhIUkWsqH0ag+RW8

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PoofNRico

C2

nahchris-49021.portmap.host:49021

Mutex

1a5d095f-2c59-4b3f-b053-5bd928b2e541

Attributes
  • encryption_key

    ADBAB4BC16998E7E1913E54C27829FE47C72BE6D

  • install_name

    PlutoBETAv2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    DiscordUpdater.exe

  • subdirectory

    PlutoBETAv2

Targets

    • Target

      PlutoBETA.2/PlutoBETA.V2.exe

    • Size

      3.1MB

    • MD5

      1b84762faebd8469f686f703cbaef7b9

    • SHA1

      41e135a8a2a9525e09a2303055430e36d95780cd

    • SHA256

      4b857bc454edef7fa460fecb36f676fa38bab8b3304f3f07d12b9777fa0b68cb

    • SHA512

      da9482a2ef6fbe659afff4c5a0d1911145bb93be47dd5a714e4e1c24802f1e9d9669f5a209665a7da752e56d2c82c41e48c5bd951d26a2cd763fc8a62d4e703c

    • SSDEEP

      49152:PvylL26AaNeWgPhlmVqvMQ7XSKO1RboGreTHHB72eh2NT:PvqL26AaNeWgPhlmVqkQ7XSKO1l

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Target

      PlutoBETA.2/PlutoBETA.exe

    • Size

      37.6MB

    • MD5

      529f707d764d2da27d2b8f982e5c3c37

    • SHA1

      e4ab7395a54777c310259b975e6ccbd1cc934d37

    • SHA256

      90473bef6e0137f9d543260dec681ee7ce0f0e833f4084b4d427c1fea3f49045

    • SHA512

      67e551b165f02fabd406afaa5a88cf75aa69cec689b544d41d093656783828236813102cbab8d8868457eec070039d381fe544c9215d07f66730fe4e97ceef63

    • SSDEEP

      393216:JQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgh96l+ZArYsFRl7du:J3on1HvSzxAMNhFZArYsSPvp7OZuF

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    • Drops file in System32 directory

    • Target

      PlutoBETA.2/SetupVideo - Shortcut.lnk

    • Size

      1015B

    • MD5

      d835bf06e41cad74eee11c2cc1322107

    • SHA1

      35f73d77ff355ba4aa08a71cec1d49002edd5175

    • SHA256

      fd607023b58ec7535ff83ad28327e15cfb758551fcee20c508d2edead1233403

    • SHA512

      965f62437d740e6bb330b78da1b26642aaba9f1dbd6648b5914263289424715a9e62767bef4f3a6e5f2a57b71c112263d2c58e5ea5572f5dde70a164b39d8942

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks