General

  • Target

    Spoofer V4.exe

  • Size

    3.1MB

  • Sample

    240722-cp839svdnd

  • MD5

    0e819e3cfcb5279dc25538fa254a0cfb

  • SHA1

    a9480ee70ad01f7d84a93bf120004ba1f996d1e1

  • SHA256

    819d2cdbc2e6246f5fb91527101128cbf8171ee04f5bea302b567ea25c6f669c

  • SHA512

    bfe5fe2631421036319da556b519ff03c44510ca5f4cb2b8b22fa4ae20e128c97fd1f49b2913b1226e36d2c2ad5fc4127e3f8722242bb376d828d7fb8d6e8eb6

  • SSDEEP

    49152:Bv+I22SsaNYfdPBldt698dBcjHyzDic0Vfk/FLoGdZN8PTHHB72eh2NT:Bvz22SsaNYfdPBldt6+dBcjHKDVz8

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Bweezys-44502.portmap.host:34107

Mutex

1d720ca2-fc3a-4533-8300-74afceea3a93

Attributes
  • encryption_key

    C0CDED8DDB03E1B037472315F6569B1352DAC01B

  • install_name

    System32.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    .

  • subdirectory

    Windows

Targets

    • Target

      Spoofer V4.exe

    • Size

      3.1MB

    • MD5

      0e819e3cfcb5279dc25538fa254a0cfb

    • SHA1

      a9480ee70ad01f7d84a93bf120004ba1f996d1e1

    • SHA256

      819d2cdbc2e6246f5fb91527101128cbf8171ee04f5bea302b567ea25c6f669c

    • SHA512

      bfe5fe2631421036319da556b519ff03c44510ca5f4cb2b8b22fa4ae20e128c97fd1f49b2913b1226e36d2c2ad5fc4127e3f8722242bb376d828d7fb8d6e8eb6

    • SSDEEP

      49152:Bv+I22SsaNYfdPBldt698dBcjHyzDic0Vfk/FLoGdZN8PTHHB72eh2NT:Bvz22SsaNYfdPBldt6+dBcjHKDVz8

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks