Overview

overview

10

Static

static

5

3c3709b103...ff.exe

windows7-x64

10

3c3709b103...ff.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    17634226205.zip

  • Size

    67.9MB

  • Sample

    240606-qzqxbseg91

  • MD5

    fb3798726fbd48cb7dce89e3dfb5ceac

  • SHA1

    2f54d26c1f0b59fe52c8a53c040a90ad1b69c29a

  • SHA256

    7b95a57099ef6c8a418678a323f5cc8e3065bd7e04d3f9fb9b3f66cb0a2e37ab

  • SHA512

    a5e0dd293cf433f3ff2ead3e65345c4f97f8a3821c256fc465076b2ec4f7cc71b1e8163e0d0c8f3718e7c376e1788b83cc3139d0379d676edc78433d05342c1b

  • SSDEEP

    1572864:VZlVxWT6uh1A8N6qJUMGg7JKRL8EcgUEu5EgoB3pCqmfTmBfvyJz80wnNU+:XQmuDndZWLHcgz2YZZmbmEJ40wnu+

Score
10/10
quasarispring suitediscoveryevasionexecutionpersistencespywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

iSpring Suite

C2

dragons.4cloud.click:1982

Mutex

rAok3Bn91dJeJbDXOl

Attributes
  • encryption_key

    1KJfoF8pVLBGtN9uzB0i

  • install_name

    Client.exe

  • log_directory

    4K

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      3c3709b1034ea2023c6a40a2f2c66f27e63000b5f3f398ff11a71da44a2969ff

    • Size

      69.1MB

    • MD5

      9c0e635401b0bc6bb9f32bf61c831309

    • SHA1

      1ba8408785b86eea68702003b200822f2b8768ad

    • SHA256

      3c3709b1034ea2023c6a40a2f2c66f27e63000b5f3f398ff11a71da44a2969ff

    • SHA512

      d8adf0313061d1f9a32bc00fbdc9f414cc117e2017101bdcba7da34a3b124d759fbc029d62eb62aa89a135b964e33610e62d3b7a90200126578f7e2687b4b870

    • SSDEEP

      1572864:YVo7Cqx85SMJ/A/8Ww5XF6aC0TIOR6+m8YKF60K7H:6o21/AUB5XF8WIOR6+PO0KL

    Score
    10/10
    quasarispring suitediscoveryevasionexecutionpersistencespywarestealertrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

4
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks