General

  • Target

    solar.exe

  • Size

    3.1MB

  • Sample

    240525-nfwblaee6z

  • MD5

    ca558fea52e3ca7a1b61e0f69ac268b2

  • SHA1

    2445d78506e19c17c99eca0744719c409c1e2c04

  • SHA256

    a3773025a4ff7ba7e2ea475c8e5b2c74bd60f963ad9e27ae7ca0123fbb235976

  • SHA512

    7d3e5cab72a6e7da4d2cc7fca940d58d0c0c82e1a3ee5dfce38317eb6eb6446bac82ed66bfc96c84e1c7917f1a00c1635640daa42ce09fa3ab27c5f213d73396

  • SSDEEP

    49152:DvrI22SsaNYfdPBldt698dBcjHDsqxbR4LoGdYWTHHB72eh2NT:DvU22SsaNYfdPBldt6+dBcjHDsqe

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

quasar

C2

cr7stakewin-27924.portmap.host:27924

Mutex

b16a5a4a-0575-4e0e-8ddd-77ced9920af6

Attributes
  • encryption_key

    72EAB2364235F953EB6EBC4967F5FAA96FD1EEE1

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar

  • subdirectory

    SubDir

Targets

    • Target

      solar.exe

    • Size

      3.1MB

    • MD5

      ca558fea52e3ca7a1b61e0f69ac268b2

    • SHA1

      2445d78506e19c17c99eca0744719c409c1e2c04

    • SHA256

      a3773025a4ff7ba7e2ea475c8e5b2c74bd60f963ad9e27ae7ca0123fbb235976

    • SHA512

      7d3e5cab72a6e7da4d2cc7fca940d58d0c0c82e1a3ee5dfce38317eb6eb6446bac82ed66bfc96c84e1c7917f1a00c1635640daa42ce09fa3ab27c5f213d73396

    • SSDEEP

      49152:DvrI22SsaNYfdPBldt698dBcjHDsqxbR4LoGdYWTHHB72eh2NT:DvU22SsaNYfdPBldt6+dBcjHDsqe

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Tasks