General

  • Target

    Solara Executor V2.rar

  • Size

    1.2MB

  • Sample

    240802-vmr13sscqr

  • MD5

    51e6735ce2042e2ba0c187a3c47ff2df

  • SHA1

    0902722a7e18a5a90c81dc786ab3b5ec616f2d70

  • SHA256

    a83f40624d7d8f6f769e672c41a72785bb623fa6f87640aac16cd7300599b21e

  • SHA512

    bcd27ec0ef174fd44e8295d84196ea4da9f9f7d15dd9fb814b9a8608c7585e723eb6ad415317648654e3b97a15e35d4b9c9d5702c2e4b55a2f78203fa8d7be72

  • SSDEEP

    24576:w2TfBF51vJNv35DAcR3VXXslc7lHR+tOJyZkZN0z1qCA8G2gA7bprFarC1RuQBrn:w2bBb1vucnnGc7lHRPIyMhA8pgAHpJUY

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.68.119:4782

realwz-34142.portmap.host:34142

Mutex

6eb5c908-87fa-4e33-a3b3-a6eaa2455bad

Attributes
  • encryption_key

    458FF650B9D9D277FD5A8DC74175331B7B2FC1B9

  • install_name

    Downloader.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    SolaraExecutor

  • subdirectory

    SubDir

Targets

    • Target

      Solara Executor V2/Download (RUN FIRST).exe

    • Size

      3.1MB

    • MD5

      c23404d4606f1e49bfc9efff359ed317

    • SHA1

      da2904b0f8e16119576e389c0d77c2b4c96baf9e

    • SHA256

      00345f840ce5cc3045c67e63e93f2fb438963eeb13a8d8587e2b196d4bc79591

    • SHA512

      30bb2f181342ab8e9c8bd851d554bedb6f87a91021b2a521ed02313ec146083920b33cc3a28135fb4b45f6103dc0c8fb01ba61096ece3ad23e2e5d3cd5720407

    • SSDEEP

      49152:fvRuf2NUaNmwzPWlvdaKM7ZxTw1KYw1Jr9oGd09THHB72eh2NT:fvsf2NUaNmwzPWlvdaB7ZxTw1KYm

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Target

      Solara Executor V2/Solara Executor.exe

    • Size

      795KB

    • MD5

      a7f3293b177a63f6c50b5560e729cbff

    • SHA1

      4885073e4881cffc5c5155de720aa65755418fe8

    • SHA256

      da17868f107954124c0953fd1cb37ac8ed4e78460905e83d6402b966a77ee7dc

    • SHA512

      70b3431b238457a24e66914d0059e7e8e2dc4f79ac49c9a9c510214b8bc1279af6947288442060ac02c3cf3c863c144ef95219006097d2e59183586f7f701438

    • SSDEEP

      12288:Hs0xF36Z1LyI6QQsJNOoRQ1jt/Nppxu29CHWzO:xxJ6Z1L5J8oRQ1jt/Nppxv9C2

    Score
    7/10
    • Deletes itself

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks