General

  • Target

    30c381a042e571d4d749f7aff6e1b17d77100ad35368c9a67136c1b5436c79cb.exe

  • Size

    3.1MB

  • Sample

    240721-jld72sybjp

  • MD5

    9167d3b0a23d7297adec5765d95085e8

  • SHA1

    aac8386cbce54562957aadb0dc7fe8e6e231cae3

  • SHA256

    30c381a042e571d4d749f7aff6e1b17d77100ad35368c9a67136c1b5436c79cb

  • SHA512

    4e61f54e241ae253bcadd97cbd85db92947d6f9aa5df6c592d351bd69efd85a264ae3530e0aec00c41ce337ce0065709ec5c03759d6b3ce6a414500a6d03e695

  • SSDEEP

    49152:XvGhBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaCO1TqMartToGd3THHB72eh2NT:Xvot2d5aKCuVPzlEmVQ0wvwfvxqb

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Jamalhacker-55716.portmap.host:55716

Mutex

d9a4b732-5ed3-49c0-a650-198571d9b9a9

Attributes
  • encryption_key

    A02B54BA4DB9446C1CB7FBE79D3509275E1D59B9

  • install_name

    Windows defender.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows defender backup

  • subdirectory

    SubDir

Targets

    • Target

      30c381a042e571d4d749f7aff6e1b17d77100ad35368c9a67136c1b5436c79cb.exe

    • Size

      3.1MB

    • MD5

      9167d3b0a23d7297adec5765d95085e8

    • SHA1

      aac8386cbce54562957aadb0dc7fe8e6e231cae3

    • SHA256

      30c381a042e571d4d749f7aff6e1b17d77100ad35368c9a67136c1b5436c79cb

    • SHA512

      4e61f54e241ae253bcadd97cbd85db92947d6f9aa5df6c592d351bd69efd85a264ae3530e0aec00c41ce337ce0065709ec5c03759d6b3ce6a414500a6d03e695

    • SSDEEP

      49152:XvGhBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaCO1TqMartToGd3THHB72eh2NT:Xvot2d5aKCuVPzlEmVQ0wvwfvxqb

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks