General

  • Target

    Stub.bat

  • Size

    1.8MB

  • Sample

    240805-1nxwlstbje

  • MD5

    042c0717f5118b9f85bfb0790597f3d7

  • SHA1

    ee93298d13751354c9e900af3595f22dfbffdedc

  • SHA256

    2528f2829ab08c1db011c5e59e7e724a263c839ffd7f216927e49289f746c0c6

  • SHA512

    d3fcc52aeef8d5d86f8396dc90e3fbb0eab1b9a4dbf193cae918f149cfa5ee3c000705904b33c6d6c42f93218f3ad71c86bf7b263020d6acd39bc8c01aa8329e

  • SSDEEP

    24576:r0mpTJa6dpWQ04Bx+p+ZVf/IxgcccX8Ors/ORFUHh4ixecaocgUZSD9RRyGGDJ+k:rna6jxxAtTn0xe3nUUD4brUd7Ku

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

147.185.221.20:18563

147.185.221.20:9835

Mutex

c2e1b18a-ce93-436d-ad8b-21bf89015e19

Attributes
  • encryption_key

    9E968F05BD874BA1BE086FD1774A027473823F49

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Stub.bat

    • Size

      1.8MB

    • MD5

      042c0717f5118b9f85bfb0790597f3d7

    • SHA1

      ee93298d13751354c9e900af3595f22dfbffdedc

    • SHA256

      2528f2829ab08c1db011c5e59e7e724a263c839ffd7f216927e49289f746c0c6

    • SHA512

      d3fcc52aeef8d5d86f8396dc90e3fbb0eab1b9a4dbf193cae918f149cfa5ee3c000705904b33c6d6c42f93218f3ad71c86bf7b263020d6acd39bc8c01aa8329e

    • SSDEEP

      24576:r0mpTJa6dpWQ04Bx+p+ZVf/IxgcccX8Ors/ORFUHh4ixecaocgUZSD9RRyGGDJ+k:rna6jxxAtTn0xe3nUUD4brUd7Ku

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Blocklisted process makes network request

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Enterprise v15

Tasks