General

  • Target

    159f657fbcc6e984293395b6c292b57bcdb6ebdc9cd5fd8551452260a99299ed.exe

  • Size

    10.9MB

  • Sample

    240726-bz1n7s1dra

  • MD5

    84437f486f1e217d9632eb422501fe71

  • SHA1

    21d6b1b128f29b449769f73ad30144da25429a8b

  • SHA256

    159f657fbcc6e984293395b6c292b57bcdb6ebdc9cd5fd8551452260a99299ed

  • SHA512

    c766fd25e3b3e95ddf3bb7750c5dac381c9be30a16f539534009a83295832f8c4cb6b325806c3d2115ad0f97fff7fd3192386f6a8296aeb7d6393b174390209e

  • SSDEEP

    196608:K1ZYTxxaKXrPz9H2P/+BluqDpjiK299pl8sj864GjID4C8:DsKXnVDRQKshr864GjID4C8

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

127.0.0.1:4782

Mutex

81e63d28-e2f8-444a-a65c-9e2953d9fccc

Attributes
  • encryption_key

    9128320CBAFA989ABD1806CCB3DFAA229DAC9EC0

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      159f657fbcc6e984293395b6c292b57bcdb6ebdc9cd5fd8551452260a99299ed.exe

    • Size

      10.9MB

    • MD5

      84437f486f1e217d9632eb422501fe71

    • SHA1

      21d6b1b128f29b449769f73ad30144da25429a8b

    • SHA256

      159f657fbcc6e984293395b6c292b57bcdb6ebdc9cd5fd8551452260a99299ed

    • SHA512

      c766fd25e3b3e95ddf3bb7750c5dac381c9be30a16f539534009a83295832f8c4cb6b325806c3d2115ad0f97fff7fd3192386f6a8296aeb7d6393b174390209e

    • SSDEEP

      196608:K1ZYTxxaKXrPz9H2P/+BluqDpjiK299pl8sj864GjID4C8:DsKXnVDRQKshr864GjID4C8

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks