Overview

overview

10

Static

static

10

Install.cmd

windows7-x64

10

Install.cmd

windows10-2004-x64

10

Loader.exe

windows7-x64

10

Loader.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    xMainDab.rar

  • Size

    110KB

  • Sample

    240602-s6qk9afh3v

  • MD5

    da3cd4f40dbda9603d615420f1f03abf

  • SHA1

    6536f4b774c84e94c449f2893adc5f53ecfe5ccb

  • SHA256

    2d69da9d85e385e410a5934b936037add1b249396a3b21a1567e87770194197a

  • SHA512

    01d40ab409fa3132412fa6bcf3e2c05cd0fa5b4b09a2e7ddb1a42e3900627b447501575c75be41ca8ed2ffb47e2a01856182a95dac947a5dfa7e2c847a26d2e4

  • SSDEEP

    3072:4UHTSNVLu96rC7mB2ew697nwDdKonygRxXGLQKZ4nUK7Uh:4UHTELJkiG697wDdKodxXGMKZNt

Score
10/10
quasarofficeexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

espinyskibidi-40205.portmap.host:40205

Mutex

CdrjrrWbtRopP1ic7E

Attributes
  • encryption_key

    P2ctPN6uGReD4W1dEypm

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Client

  • subdirectory

    Microsoft

Targets

    • Target

      Install.cmd

    • Size

      407B

    • MD5

      d605e519c8fb10ecc49055af63c0f213

    • SHA1

      a69b61879040aa541258035461260159ea51369a

    • SHA256

      1452be84cfc1ea5aee5db2011fe8e2a5b72ff2fe637b77696d720734f58eac89

    • SHA512

      304e8825d0afa6f7235859bb2083d728510d48806b06214225978592e8c4f8d065e1bcf3ca9eb39d4312b762a83e1054237d11cecbb3347ef4868bb4574b0e2b

    Score
    10/10
    quasarofficeexecutionspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      Loader.exe

    • Size

      286KB

    • MD5

      4e47b6257fa7e2221df20e6d9f7fc47a

    • SHA1

      7d6116a578f51d87cad1efe9e5971c412eb769a9

    • SHA256

      eeddf97a4c02250bdff26feba1085ff30277d2f71054cd32e8796554fffb23e6

    • SHA512

      6e5e3d2e865fa2c2d229c70f7a10a3821316b91b7daa66ecdfea9dcc7275d30da56f56a90eb64fdbe603e0aa50d5d797c40a4877e48ab0328a6d6ebc06ddd532

    • SSDEEP

      6144:OhVZx2zU1Ypil1TQxqhzu4nkhdVwbjJ1ybkWrrpo:ExT1tY4Idc1ybkWho

    Score
    10/10
    quasarofficespywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks