Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    API_Connector.bat

  • Size

    586KB

  • Sample

    240610-scd1cszfph

  • MD5

    54b83bd573c13cd414255d487f47b770

  • SHA1

    f35b29215c9039af7294b1e9db7977447f380cbe

  • SHA256

    fae3ed9b66f0e1fc27bdd6605dd3fd0600ff4291971d850f61cd0696c4ed9926

  • SHA512

    8c607148b7e001d5ea9efb048cebf3fc78238f333cc09c368078f77b0d0fcf4ac22a5594bd7417515ee4ea73e7943fb1e47232e9caac6e3e74caa3313c89f6d9

  • SSDEEP

    12288:LiR+aj62WqH39ttfD1KhLZ6azySThfOwppoCQ/gcOhKrYFuuZUDGO0:mQt2WwxGJtvpOt/owriUDt0

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Slave

C2

runderscore00-61208.portmap.host:61208

Mutex

QSR_MUTEX_cq1PvE2FSZsrtLytho

Attributes
  • encryption_key

    5vXgZSbIpHJzAn3ZrosQ

  • install_name

    $phantom-powershell.exe

  • log_directory

    $phantom-Logs

  • reconnect_delay

    3000

  • startup_key

    Powershell

  • subdirectory

    $phantom-zero

Targets

    • Target

      API_Connector.bat

    • Size

      586KB

    • MD5

      54b83bd573c13cd414255d487f47b770

    • SHA1

      f35b29215c9039af7294b1e9db7977447f380cbe

    • SHA256

      fae3ed9b66f0e1fc27bdd6605dd3fd0600ff4291971d850f61cd0696c4ed9926

    • SHA512

      8c607148b7e001d5ea9efb048cebf3fc78238f333cc09c368078f77b0d0fcf4ac22a5594bd7417515ee4ea73e7943fb1e47232e9caac6e3e74caa3313c89f6d9

    • SSDEEP

      12288:LiR+aj62WqH39ttfD1KhLZ6azySThfOwppoCQ/gcOhKrYFuuZUDGO0:mQt2WwxGJtvpOt/owriUDt0

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks