General

  • Target

    Quasar-Installer.exe

  • Size

    491KB

  • Sample

    240524-bfyqhafg64

  • MD5

    8def0ef788602675c4d6fc2a72f93944

  • SHA1

    b153631a58aa2b88120412f84493fb3250673e4c

  • SHA256

    2862c2fdbd071dd3308fb352a626da5e5f010c9b5ee9b3b1f6671e78c556dd55

  • SHA512

    e10bbc8b382accb4e946e1058c3bf17305a8df53d3d034dace25b7506d2fb7d56b47b5ed6552c3fc0a32d492f9eccf92d95664591091f7d0c30aac882a3ea45b

  • SSDEEP

    12288:5CQjgAtAHM+vetZxF5EWry8AJGy0vC8JLY8V1/3sRRAw:55ZWs+OZVEWry8AF18JLYgUR1

Score
10/10

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    Quasar

Targets

    • Target

      Quasar-Installer.exe

    • Size

      491KB

    • MD5

      8def0ef788602675c4d6fc2a72f93944

    • SHA1

      b153631a58aa2b88120412f84493fb3250673e4c

    • SHA256

      2862c2fdbd071dd3308fb352a626da5e5f010c9b5ee9b3b1f6671e78c556dd55

    • SHA512

      e10bbc8b382accb4e946e1058c3bf17305a8df53d3d034dace25b7506d2fb7d56b47b5ed6552c3fc0a32d492f9eccf92d95664591091f7d0c30aac882a3ea45b

    • SSDEEP

      12288:5CQjgAtAHM+vetZxF5EWry8AJGy0vC8JLY8V1/3sRRAw:55ZWs+OZVEWry8AF18JLYgUR1

    Score
    10/10
    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks