General

  • Target

    Update.bat

  • Size

    328KB

  • Sample

    240722-ewmvqawemf

  • MD5

    3259c1bdc1ae4f60a513662a01d5afd2

  • SHA1

    b3199b5f291df56d4ae2c97b2c8a545acc155041

  • SHA256

    eea2dda0776cbf7f56bf73adc3da633e854ff44e7b68e778a4e9742c0ed77fc6

  • SHA512

    ff32e3bc66b02e49c9c3a5f2b89a228bbf19bdf60726531baae215d980ae235c67d1bf72e7f36b69b68fb86f38af521dc4ce459ad20023a9665916742470f08e

  • SSDEEP

    6144:wM8EPSig+RCN4pIBAZDIVe7TEQP+jkM1w1CJPCFg45BiXmTuYT:wSSicap7I6TEQGYMeCJKFg45omT3T

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Office04

C2

late-mills.gl.at.ply.gg:21882

Mutex

$Sxr-GA3W8c5c96zLDbSSVg

Attributes
  • encryption_key

    bKtC4p0FyTyeoqDbfF6G

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    SeroXen Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Update.bat

    • Size

      328KB

    • MD5

      3259c1bdc1ae4f60a513662a01d5afd2

    • SHA1

      b3199b5f291df56d4ae2c97b2c8a545acc155041

    • SHA256

      eea2dda0776cbf7f56bf73adc3da633e854ff44e7b68e778a4e9742c0ed77fc6

    • SHA512

      ff32e3bc66b02e49c9c3a5f2b89a228bbf19bdf60726531baae215d980ae235c67d1bf72e7f36b69b68fb86f38af521dc4ce459ad20023a9665916742470f08e

    • SSDEEP

      6144:wM8EPSig+RCN4pIBAZDIVe7TEQP+jkM1w1CJPCFg45BiXmTuYT:wSSicap7I6TEQGYMeCJKFg45omT3T

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks