General

  • Target

    newest build.exe

  • Size

    9.4MB

  • Sample

    240522-zy8kesgg3t

  • MD5

    ce64ce3d8c816918a69aca1fcd29d8ab

  • SHA1

    3b63ad112e526555c81e3a2e5ad30d12627866af

  • SHA256

    8441ca56792be9352decdf9e6cc2d4508ca5186ca8cdc46002d2cfce9aa1920f

  • SHA512

    6e90572f1ebe89eeab7a5e0e4cb2c2bfce8840f2c8139b5e08033ef49e7fa7d4683acab81aa45bcde5ecae6814481dd8be03c38e158f5f73e8d76971c48b2482

  • SSDEEP

    196608:nEd+sxfN1y/GgYIWurErvI9pWjgU1DEzx7sKL/s1tySEQAkjUWlRH2WB:eXxfjy/GgAurEUWjhEhn01tv392WB

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

86.13.66.89:4782

104.28.227.39:4782

Mutex

584f887c-7024-4e16-a56b-684919f2613f

Attributes
  • encryption_key

    F478C43DE74A681AD4F5AF6B28E598051B310CDC

  • install_name

    WPShell.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows PowerShell

  • subdirectory

    SubDir

Targets

    • Target

      newest build.exe

    • Size

      9.4MB

    • MD5

      ce64ce3d8c816918a69aca1fcd29d8ab

    • SHA1

      3b63ad112e526555c81e3a2e5ad30d12627866af

    • SHA256

      8441ca56792be9352decdf9e6cc2d4508ca5186ca8cdc46002d2cfce9aa1920f

    • SHA512

      6e90572f1ebe89eeab7a5e0e4cb2c2bfce8840f2c8139b5e08033ef49e7fa7d4683acab81aa45bcde5ecae6814481dd8be03c38e158f5f73e8d76971c48b2482

    • SSDEEP

      196608:nEd+sxfN1y/GgYIWurErvI9pWjgU1DEzx7sKL/s1tySEQAkjUWlRH2WB:eXxfjy/GgAurEUWjhEhn01tv392WB

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks