Overview

overview

10

Static

static

1

c983314c57...a4.vbs

windows7-x64

10

c983314c57...a4.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4730787ad81772f8d9b03ae8faf9efc3.bin

  • Size

    3KB

  • Sample

    240518-cpqa6aff3y

  • MD5

    c62fb69d7ffeac7f644451b972cd258e

  • SHA1

    94fef07f41b297b530036ff5a613657db363f4e4

  • SHA256

    81a3b3d06db8334d0ee3b76934b14c7338ca9addbd82154a1d493885d8d7b7dc

  • SHA512

    9676fc0ec9794631477184a0f720cdea057a6d8e7def02cb8cad04cc0437ffc808eeb3eba09600e8481ec0ba42a62674c38922652494ca6c190201d003be74cc

Score
10/10
quasaraldo_r3gonexecutionspywaretrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pasteio.com/download/xcxWvykfm30a

Extracted

Family

quasar

Version

1.4.1

Botnet

aldo_R3GON

C2

peurnick24.bumbleshrimp.com:7310

Mutex

77413eeb-5d1c-4bf8-986f-3c9d48a16cd6

Attributes
  • encryption_key

    A3226D93494A561FEC5149605B952B09B55012C6

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      c983314c573fe3408730565056c78968b2fdf9dec5d6f67701bcd62eadc39ea4.vbs

    • Size

      197KB

    • MD5

      4730787ad81772f8d9b03ae8faf9efc3

    • SHA1

      4d09795bab624a2dbeb62a14870693f8c0dc810c

    • SHA256

      c983314c573fe3408730565056c78968b2fdf9dec5d6f67701bcd62eadc39ea4

    • SHA512

      d7b28b0377fd0ec04d105a6c3ee3ae92ff98d29b3d8aa1d1c677817fad4b9816126eb4e7e23376d60dd1d263dd0e3ad182732b2e2c8ee0cfa54c64440fdaeaec

    • SSDEEP

      384:z1OlYw8nrW9LrBppppppppppppppppppppNGpppppppppppppppppppppppppppf:sfirg/LNA

    Score
    10/10
    executionquasaraldo_r3gonspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks