General

  • Target

    07412fb8708bdbd23115743c4856981eb03873b755d0fbd4ec7745a642dff25c.exe

  • Size

    13KB

  • Sample

    240722-selg8atcqg

  • MD5

    17db34e555e545ce20f804526a31ed48

  • SHA1

    ab18d1d10a85f9e04ed0f04df592e502a54d406b

  • SHA256

    07412fb8708bdbd23115743c4856981eb03873b755d0fbd4ec7745a642dff25c

  • SHA512

    925776bb12d3c30c9688adadb4ebc006901bbd8e8c65535af8eddafd18e19e38135d2e734a144ee2e2d66d92fea5a59ac4925836227dc6af11ecca2788ce2aeb

  • SSDEEP

    384:r7sBDLLNnwR1VvzbL7MCa2l0/NHyq4b3dY6Er:r7aw3Vb0xVdsNGr

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

85.28.47.123:4782

Mutex

37891bd4-27a1-4fb6-aecb-ba06bb063e71

Attributes
  • encryption_key

    7970C2029EDBB83E6BD65073BE18684AC9FF3F48

  • install_name

    KR6nDu9fLhop1bFe.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    defender.proces

  • subdirectory

    SubDir

Targets

    • Target

      07412fb8708bdbd23115743c4856981eb03873b755d0fbd4ec7745a642dff25c.exe

    • Size

      13KB

    • MD5

      17db34e555e545ce20f804526a31ed48

    • SHA1

      ab18d1d10a85f9e04ed0f04df592e502a54d406b

    • SHA256

      07412fb8708bdbd23115743c4856981eb03873b755d0fbd4ec7745a642dff25c

    • SHA512

      925776bb12d3c30c9688adadb4ebc006901bbd8e8c65535af8eddafd18e19e38135d2e734a144ee2e2d66d92fea5a59ac4925836227dc6af11ecca2788ce2aeb

    • SSDEEP

      384:r7sBDLLNnwR1VvzbL7MCa2l0/NHyq4b3dY6Er:r7aw3Vb0xVdsNGr

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks