General

  • Target

    yolo.exe

  • Size

    5.7MB

  • Sample

    240802-xvscxs1erc

  • MD5

    275231b1dc6cd9a37e767687257e655d

  • SHA1

    433ce42bf76994b259cf95acd70ddd9a91421ce7

  • SHA256

    3b3fd08f825e24a763ed8abd79dcec933dfd2e3e104f21e5a2bb4a7aa3d3c244

  • SHA512

    5c5837ae8cd4db50d42434071ff4b01d62c276a0f350481ee2ead1f2bfc560bd1edf9cebc37a57a2cd160c65909242473b4c3d2c6cd1b99159cd8b1b2825dbb8

  • SSDEEP

    98304:WXzhW148Pd+Tf1mpcOldJQ3/Vxvk22SsaNYfdPBldt6+dBcjHnj5X9F:WFK4s0TfLOdo/rJ7jVX9F

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.0.174:4782

Mutex

1ddaef8c-bff6-41cf-ab7c-88ced4b0af76

Attributes
  • encryption_key

    D5F1E515D26F03AD6621A5237F6E935EF48F2FD8

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      yolo.exe

    • Size

      5.7MB

    • MD5

      275231b1dc6cd9a37e767687257e655d

    • SHA1

      433ce42bf76994b259cf95acd70ddd9a91421ce7

    • SHA256

      3b3fd08f825e24a763ed8abd79dcec933dfd2e3e104f21e5a2bb4a7aa3d3c244

    • SHA512

      5c5837ae8cd4db50d42434071ff4b01d62c276a0f350481ee2ead1f2bfc560bd1edf9cebc37a57a2cd160c65909242473b4c3d2c6cd1b99159cd8b1b2825dbb8

    • SSDEEP

      98304:WXzhW148Pd+Tf1mpcOldJQ3/Vxvk22SsaNYfdPBldt6+dBcjHnj5X9F:WFK4s0TfLOdo/rJ7jVX9F

    • Modifies visiblity of hidden/system files in Explorer

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks