General

  • Target

    исх. № 203-7-223.exe

  • Size

    3.9MB

  • Sample

    240530-lzk9maef48

  • MD5

    b048977c762a6e84a15e1c1902a6dda2

  • SHA1

    61cde72ee6194ec5ce65a55f96592c4e2ad32991

  • SHA256

    ccf5ca717cb1cb0edc9d4350639b583e48de04fc62728ccf12023145482ad3c5

  • SHA512

    c09aa1871827dc64f9298324354806c38eee72a4e837ec099b7b0ae569ff1231656503d8cb375ba2aaaa7fc2c4f535fde7f91e9f60b5d4c0e75150ae5ceb365b

  • SSDEEP

    98304:Lxv+7XiqJRaNV+JzRGtDbuxOjy33iVUav:Lxvw0KJEsxsUav

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

29_05

C2

193.124.33.141:4782

Mutex

da09c009-cbaa-4e3e-99a0-43ad74359ce0

Attributes
  • encryption_key

    DD459BB92A43EF8EEB2FE401C8453F685AECE590

  • install_name

    ChromiumDaemon.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Chromium Extentions Service

  • subdirectory

    ChromiumExtentions

Targets

    • Target

      исх. № 203-7-223.exe

    • Size

      3.9MB

    • MD5

      b048977c762a6e84a15e1c1902a6dda2

    • SHA1

      61cde72ee6194ec5ce65a55f96592c4e2ad32991

    • SHA256

      ccf5ca717cb1cb0edc9d4350639b583e48de04fc62728ccf12023145482ad3c5

    • SHA512

      c09aa1871827dc64f9298324354806c38eee72a4e837ec099b7b0ae569ff1231656503d8cb375ba2aaaa7fc2c4f535fde7f91e9f60b5d4c0e75150ae5ceb365b

    • SSDEEP

      98304:Lxv+7XiqJRaNV+JzRGtDbuxOjy33iVUav:Lxvw0KJEsxsUav

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks