General

  • Target

    skibidirat.exe

  • Size

    3.1MB

  • Sample

    240805-jzq4rs1blm

  • MD5

    797c5548befc52f7b0dbedc8e6172184

  • SHA1

    05e5fd623d589e9790e648348f05e317d926b8c4

  • SHA256

    62e9fdaaf90da01ef28a26823e3442d73b93dc0e23d93139df631701cf6da260

  • SHA512

    2ed20953b97ae2a2dfad7735dcef327f69cd08e9d2acaefd7a23dec0890463dd5a97c5cb1fb54634a052613b55752fc3ce624939dd89ef85bcdae5d46a19e0b5

  • SSDEEP

    49152:xHobtR1o2PmNXo7WCr5Ft4Rw8FcXrYd+THHB72eh2NT:xHmRvmNXo7WCr5+w8A

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

147.185.221.18:42996

147.185.221.18:1770

Mutex

c2e1b18a-ce93-436d-ad8b-21bf89015e19

Attributes
  • encryption_key

    9E968F05BD874BA1BE086FD1774A027473823F49

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      skibidirat.exe

    • Size

      3.1MB

    • MD5

      797c5548befc52f7b0dbedc8e6172184

    • SHA1

      05e5fd623d589e9790e648348f05e317d926b8c4

    • SHA256

      62e9fdaaf90da01ef28a26823e3442d73b93dc0e23d93139df631701cf6da260

    • SHA512

      2ed20953b97ae2a2dfad7735dcef327f69cd08e9d2acaefd7a23dec0890463dd5a97c5cb1fb54634a052613b55752fc3ce624939dd89ef85bcdae5d46a19e0b5

    • SSDEEP

      49152:xHobtR1o2PmNXo7WCr5Ft4Rw8FcXrYd+THHB72eh2NT:xHmRvmNXo7WCr5+w8A

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks