General

  • Target

    95ac49ea8ca4c65c807bdd666ce103b3c37ba995e8bab38d705ddacb88f50305.exe

  • Size

    1.3MB

  • Sample

    240530-brpxqshd3z

  • MD5

    96b4cf51bebab4887e19e4130ba179a8

  • SHA1

    4366099721910192416f6df074659750fbd32d70

  • SHA256

    95ac49ea8ca4c65c807bdd666ce103b3c37ba995e8bab38d705ddacb88f50305

  • SHA512

    bd7498feeda13f37f06cc020b1ae373464994fa7de87666d7fe378f07d1d73dc67517546d2c0300be8e89ddaa6b4be67ad7130e59a19ebb63bba781539f210b3

  • SSDEEP

    24576:mOyKHIdpTrwV7PF+hJZZYnm/d7u1o1Uwtl4CHvPos0Fl11Aapp+QX4:kKHerwV7PFqJZZem/Ru1YJrHHos0Fl34

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

bin-inspections.gl.at.ply.gg:64055

Mutex

536deaa9-57d2-448a-ae01-b604426d7fa6

Attributes
  • encryption_key

    DBB529B3F56F6D23695F8D7AC9BA28484A0D6D0F

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      95ac49ea8ca4c65c807bdd666ce103b3c37ba995e8bab38d705ddacb88f50305.exe

    • Size

      1.3MB

    • MD5

      96b4cf51bebab4887e19e4130ba179a8

    • SHA1

      4366099721910192416f6df074659750fbd32d70

    • SHA256

      95ac49ea8ca4c65c807bdd666ce103b3c37ba995e8bab38d705ddacb88f50305

    • SHA512

      bd7498feeda13f37f06cc020b1ae373464994fa7de87666d7fe378f07d1d73dc67517546d2c0300be8e89ddaa6b4be67ad7130e59a19ebb63bba781539f210b3

    • SSDEEP

      24576:mOyKHIdpTrwV7PF+hJZZYnm/d7u1o1Uwtl4CHvPos0Fl11Aapp+QX4:kKHerwV7PFqJZZem/Ru1YJrHHos0Fl34

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks