General

  • Target

    a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe

  • Size

    916KB

  • Sample

    240629-b29pws1dlr

  • MD5

    fb57053d7202dbaca1e71a649047597f

  • SHA1

    b5c39ce77aa7c9a0f5f044eb887fb4baec3ce0db

  • SHA256

    a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87

  • SHA512

    fe4f64695c0121180b2a0829f82cee6de42170d17b34125f1ac0741580e58c1c282ea1bc5d1a0c8a3ae597f3e2dc014c8980416a2bfdcf30db98df984cf1ab43

  • SSDEEP

    24576:tmkdueXjq0OQKc2YSEegpQRDLusJLK1lkyoLP:IkdueXjq0OQKc2YSEegpshk1lk

Malware Config

Extracted

Family

quasar

Version

2.8.0.1

Botnet

backup

C2

45.40.96.164:5552

Mutex

4zqoNUTZKMvnLHkoUD

Attributes
  • encryption_key

    S2EJJjFXQqrAnFg7XBWE

  • install_name

    Registry.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Hotels Client Startup

Targets

    • Target

      a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe

    • Size

      916KB

    • MD5

      fb57053d7202dbaca1e71a649047597f

    • SHA1

      b5c39ce77aa7c9a0f5f044eb887fb4baec3ce0db

    • SHA256

      a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87

    • SHA512

      fe4f64695c0121180b2a0829f82cee6de42170d17b34125f1ac0741580e58c1c282ea1bc5d1a0c8a3ae597f3e2dc014c8980416a2bfdcf30db98df984cf1ab43

    • SSDEEP

      24576:tmkdueXjq0OQKc2YSEegpQRDLusJLK1lkyoLP:IkdueXjq0OQKc2YSEegpshk1lk

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects executables containing URLs to raw contents of a Github gist

    • Detects executables embedding command execution via IExecuteCommand COM object

    • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

    • Detects file containing reversed ASEP Autorun registry keys

    • detects Windows exceutables potentially bypassing UAC using eventvwr.exe

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix

Tasks