General

  • Target

    95991984767349d93e902eba0487e74688ea5678a92d75a8b50a0852bd215b28

  • Size

    43.0MB

  • Sample

    240730-lfwk9awbjj

  • MD5

    bf0186af3227da62aeb3db92c1e5182d

  • SHA1

    3ca8b3b9e80bf08fffd1e9ccece85b4467af2889

  • SHA256

    95991984767349d93e902eba0487e74688ea5678a92d75a8b50a0852bd215b28

  • SHA512

    7592395ad64bc9e8ff2eea9127d99a3eeb8bb408d62ab105670ee5f5473bd9fa4027268bc0fc55a9920dd702e6692777851d42d6d807a6d85cbc59a34a295eb1

  • SSDEEP

    786432:7Zz9QTeRXpXlJRRct8dl+ugoX0e+yPwGZGU30LTbQTeRXpXlJRRct8dlSFOiHW:7J9QqRZXXcol+3k0wpZtk/bQqRZXXcoH

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

128.199.64.220:4782

Mutex

a6aa1ddd-3810-492e-8728-facd9d5ede65

Attributes
  • encryption_key

    CB9F9A0F270F5BD4211B4E21054ED956F7A81814

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Hit Sender/AxInterop.MSTSCLib.dll

    • Size

      360KB

    • MD5

      0c7d8ecb8fb4b88fd42de85e30944826

    • SHA1

      b8ca7c11063d58008f8b19cf93ebaab8245e616d

    • SHA256

      0c1a7276c53d85feae0996fb2f4524e2aeffa78c96304bf25e70c68f123e5e94

    • SHA512

      2d3078a0b583d9d4e5ebeaab4e3baa11e61f4988ff96bfa27152ea30d1e6374e704429f63f30ab6bfe72381830f5fd17e605f327ad9d2616d75ce0f336dc73e3

    • SSDEEP

      3072:LZEKEcvukPhjyUG2p8wV0z6gWAkapSyS6hH+GC1Z5U8I:qwhjvGU0WgWAkaW6hH+GC1ZF

    Score
    1/10
    • Target

      Hit Sender/Interop.MSTSCLib.dll

    • Size

      738KB

    • MD5

      a2a32a9b5cf3a554c351073821f9e366

    • SHA1

      3208bc1a1d4f526fd0abfad1ef7c3185f7d7b1d9

    • SHA256

      f4d5ad2f9053a39f652831baa915e90645e6198b56817969e2cd45f6223c3a0c

    • SHA512

      057373efd77d0744d60ab4ebe3bd6133e3edbc1e25137279398f84c254b1a400406954512f4252432daf6f4a8879611b05a694b23b643230b8f35578677f96be

    • SSDEEP

      12288:iuF8zCZQHmtk76B4veVsjyJgXW9UrqxINQzitUn2BYL6l8szncUicKs8geyRli+p:iuF8zCZQHmtk76B4veVsjyJgXW9Urqxq

    Score
    1/10
    • Target

      Hit Sender/NLBrute Hit Sender-Checker.exe

    • Size

      1.8MB

    • MD5

      663627e9e7d0f30d41dc754cec70c2a9

    • SHA1

      4f6562ee4c4a209e8ccdd894d5955909afc3498e

    • SHA256

      59c8595468186da0d323b5a5fc0304b04412fe11bea16c11bdce5315502a8716

    • SHA512

      b3184e56e9d9a9ae0bef34912c9e927e0dfdd100b7e36862e2a1f98af56bccb58fa23783cd9f42cbb663e70ba26835a24a27cca5e077b2d5e0a46ff1b8f412c3

    • SSDEEP

      24576:0Yh9sKCs4uvW4jfb2K90oo+C8JwUZc0PY0yNuVC9Hbv50eFGPlfFZDO+:p/C7uRfbQswUZcSByYGv5ujZ7

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      Hit Sender/RestSharp.dll

    • Size

      186KB

    • MD5

      ebb404b296276a65d85a13ce889a64ab

    • SHA1

      2fe54894589988a7c3b0c752f4de9d84b3f21312

    • SHA256

      37bf2a8815e1833153ff92d0bec3a1405f5c5f146884d0563a96bacd1b0074f9

    • SHA512

      c0ba618cc6aa3987930598bf9557f6e2aa6657f72febdc034b07ac25c2682debeccac4940a27a8612c1b84c70e350e78d19e8928cac613cadc48e4fefada9f71

    • SSDEEP

      3072:32SM9KBmXowyrg7h2Bk3uIRUgpOYx+fsh6ow4iDvmRBktpWaLJ1qbC:WbXDyG2GeyUglf6ow4iDoZ

    Score
    1/10
    • Target

      Hit Sender/SkinSoft.VisualStyler.dll

    • Size

      1.0MB

    • MD5

      69e6563e0e7ea843e9b37d58819f4136

    • SHA1

      4aebf9955ba0d0b5205b6b013da634aa0281a25d

    • SHA256

      f9fa9f508b9350ed12ed3aa5b7f24aed901a6434b1b02d1f0ee301b8eea54b06

    • SHA512

      c883bcb3f6f2ac3f2fe88eed1356178ff2b43bdeed2188aa06f35cbc9dda8745a3a5c2d28d99daae5b6ea9af46abcae45b7bd4da13f318ba31062a8e8b79a942

    • SSDEEP

      12288:OSVkAXRzNIYqsdMExMDj/iREVGx2G4dZJ25jad4NJQe5rkAf/e5rkp3gN372sx00:ZRz+YqsdMExMDj/iRHx2dJ7Wsx0

    Score
    1/10
    • Target

      IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)/IP Scanner.exe

    • Size

      12.3MB

    • MD5

      57bf838c7b78b1d6382492047c5e58e7

    • SHA1

      e9f399ec58e2435305193cd3685c99f87622cd42

    • SHA256

      1ab440ef04f4b1396b6b6d6959887867f1b0f2b3c639b74920d3e7ad6fc64933

    • SHA512

      4e3304333604dce2c7f2ae446102764fba815f97cc3264878a66b451a781fe7c44d1821089aa155be141e86c8f626da24cd5f19bc6b1ce6aadc35c3f215adc70

    • SSDEEP

      196608:O1iODtjizE9onJ5hrZELte9tGPqKM48RmU/3ZlsPv2SEDTb5zTvN8CfZjAPaBk:bOD/9c5hlELdPNMtN3ZWjc3xTLjAS

    Score
    7/10
    • Loads dropped DLL

    • Target

      KPort Scaner/KPortScan V3.exe

    • Size

      232KB

    • MD5

      9e474178aff71d68f7b72fb186d6d763

    • SHA1

      5eb3a66848515aed1cd9bb235dcb452e7470e5a2

    • SHA256

      16c1e3fea0b086044036f402b5e00af9efd689417fe98fed51884539a4ad44bd

    • SHA512

      ae41194fa85b4c5bb63f21e3218e62aa482d09b9fe3b4a3ea449c76d5d140abd232519abb563c70df3191d4be18b820af91c33842e1ed3459687fc2edb1593f2

    • SSDEEP

      6144:k997OTkNPTqLIOt6r+9dEPlUIbrMOFTfM0OZhErjie0KK3m+nak:FTkNLlE3m+n

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      KPort Scaner/QtCore4.dll

    • Size

      2.4MB

    • MD5

      438717377b9df0f53f283c9e4aa722cc

    • SHA1

      c413917dfcb816799613c6f86b55952c887ff711

    • SHA256

      a679cf46e128d028de22fb9ed8432e5107e53f8e7e6fb7f5e169b3eeab8f000a

    • SHA512

      03c10588ec47bce9b6c40fedffcaa775b84bb691450789000c17e7df02554036ee336d382524b35bfa67dbc4ae4b95d3d1807d61f46016427856f60850383f3f

    • SSDEEP

      49152:vfGCzRdEZK8hyX2ntJsv6tWKFdu9CeTxLyvL/6mShMZtmjNUVrciV5P+7QVg07Tl:vf8KF2tJsv6tWKFdu9CIK

    Score
    3/10
    • Target

      KPort Scaner/QtGui4.dll

    • Size

      8.0MB

    • MD5

      37957facc9afbdfbd119c8372c9cf0e3

    • SHA1

      1f5584ae75e947ffcbe00dc17bc423bf3f906ad0

    • SHA256

      bf52fec00b4f640d07bea3850096cc77983fca518bbec8122997b7ca561205f1

    • SHA512

      24ef6418f904b646d31912e0f350a0eb10147015bbd4b3710aba62c5a1da5d001600d9a381beb8d871d30cc0b07cf2fdb034f81f60810d8c14899cacdf68ad4d

    • SSDEEP

      98304:ixT4yTZMEMrIJCZxMvwQoVgN1617/PO1IQlS4Xsmw2zZQvkfsnXWP:ixbZxDJ9vv7617VQlSesn

    Score
    3/10
    • Target

      KPort Scaner/QtNetwork4.dll

    • Size

      982KB

    • MD5

      5c6afae60414546cef0a9b759da93912

    • SHA1

      928aba35960a17b9ee3a3e2f2f890b8aa6842e6b

    • SHA256

      99757ec661fd7de3b22fb641f25cf1565aae13daf8d31c6686c6c7cbd2be6fc9

    • SHA512

      bbd7aae541c5677317f68472c4be008164909f6395c43e554c4b070fb398ec680f496505644de0a706f831bc850e770c60c699d5aa0d5a7e0e19c5fc48e5c727

    • SSDEEP

      12288:BQ4LHoNwBkUx/0RpieLY+EZ8R2/hGT/YOt2ck/qTpQ39NM7LMi7nR4djiz0R6H2j:zr/k60RpizZ83/T6CTeNuMwR4djip8L

    Score
    3/10
    • Target

      MassScan/Massscan_GUI.exe

    • Size

      334KB

    • MD5

      7a6990bf78f3e2e835d3be85a2fea4ba

    • SHA1

      9e2760e0c13d56cb744262b4fdef67e17ee08571

    • SHA256

      37ff328175acd45ef27d3d339c3127a7612ad713fccd9c9aae01656dfbf13056

    • SHA512

      ba2b8cd80613bff44c1624d6a17bae797b81fb53979f6a901850dac5e824483513cd312ff8a5aaa9d5eb3cf5c825785a7a53965692d2fb6274d22b6e62f9735c

    • SSDEEP

      3072:eaxe0aX5Cw9Q56z456zB56zuIXk89V756zM:nanPj8X

    Score
    3/10
    • Target

      MassScan/Packet.dll

    • Size

      94KB

    • MD5

      1250bef11bfa086f772cd2a273bc036e

    • SHA1

      bfb60b4072f4533d8497f3d90631f818e345bcc6

    • SHA256

      6b19cffaa2bf4359be1a0130a1fb47ab45e8c3be5d0cb7986579c5e04e1d77a5

    • SHA512

      76cbc346468d400c4e6a95b3c91abfec0a63a375aade6f47c70a3b3db76c513bcfd91ed2994059a6c8bdd6b266f9b17ecf11f9941481c7a2692925d2457f5bba

    • SSDEEP

      1536:6wG9plhvRIRVC2wJAyPFCnPKc0z70yIKtIn8zVpWj:E9rjh5t9cZyIKtInb

    Score
    3/10
    • Target

      MassScan/masscan.exe

    • Size

      232KB

    • MD5

      c50f3b0b23dfe5c66561bb9297bf7bbc

    • SHA1

      5f14241aea174608a7c85127fdad042d7382277d

    • SHA256

      de903a297afc249bb7d68fef6c885a4c945d740a487fe3e9144a8499a7094131

    • SHA512

      33c557c53b4f65cde67bc0f6a7952822d194e0da262aa7d44c1d527ed300043ad1c06002cd42e69ad98ad2c7b62aa98d66ac0aa211ddfa97dde3e737da3f768f

    • SSDEEP

      6144:9WQaNTimmz/EkPt1xeHP9mCeswbjnK6swOp9cL:vMTuz/Ek1eHP9KPf698

    Score
    3/10
    • Target

      MassScan/msvcr100.dll

    • Size

      755KB

    • MD5

      0e37fbfa79d349d672456923ec5fbbe3

    • SHA1

      4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    • SHA256

      8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    • SHA512

      2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    • SSDEEP

      12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z

    Score
    3/10
    • Target

      MassScan/winpcap-4.3.exe

    • Size

      423KB

    • MD5

      ae26452c8b3d97ef2037521ac0dd3a8b

    • SHA1

      3ad99ec2bf6cc4f947bb09be627c91f82a898aa8

    • SHA256

      f28156a96be558dfb83a3d935223a127816ad124b94f92c499400c38078ad842

    • SHA512

      f5012a9600542b46eca137f41d58d6a6d3071aa36ca2b4c0f0119639cdf051c0a0e597c674583c4ec5753f8368ca121282acbf084930d2b1f30671f2032448d9

    • SSDEEP

      6144:MsNaGdmkMIdQQkpxYLcP+k471Xr4bjMxiW+D/xqfF3o2KCzDunki8m/VlidXTj2G:AG4kDdc8L4bQA5qt3CxnkLwlQFPcOLJ

    Score
    7/10
    • Loads dropped DLL

    • Target

      $PLUGINSDIR/InstallOptions.dll

    • Size

      14KB

    • MD5

      79327201915b7cf3ba0c5d1a143aa925

    • SHA1

      185b6f5520b1c39d3e7d9d91ed099698fac46d92

    • SHA256

      1edf8dc7b6ef67e7cf68f6b07f38be5b336b5e6b2d1d5500cdb3e121b8381394

    • SHA512

      c51086b7e039c83abb727a33b7f1ccac4fa999373b0423ac4b253e87195a5515d29e98ea2ed64f30406a14db4bf94422d34e6c9db8fc80be5c4e3fc77fd0207e

    • SSDEEP

      192:QGs+dH4+oQOTgDbzuNfrigyULWsXXZF/01JJijYK72dwF7dBEnbok:QGvdH4qMebzPY2VijY+BEnbo

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

pyinstalleroffice04upxneshtaquasar
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral6

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
7/10

behavioral12

Score
7/10

behavioral13

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral14

neshtadiscoverypersistencespywarestealer
Score
10/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
3/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
3/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

discovery
Score
7/10

behavioral30

discovery
Score
7/10

behavioral31

discovery
Score
3/10

behavioral32

discovery
Score
3/10