General

  • Target

    Bootstrapper (extract.me)(1).zip

  • Size

    1.3MB

  • Sample

    240805-tr1nca1fqk

  • MD5

    a3e58f4009dd652a7f9adaa8503bee03

  • SHA1

    678b602ffe105001d5a7372bfedceb16b07e63a9

  • SHA256

    81fa2f00f9af36db4b0add31164aca81e5a01f5498f8a6cb5fad5d5eb2d73000

  • SHA512

    529246877c40387bee7da8b9922e38485c542bf7a45bd3d0d3ee1ceefe5b311e3c66e8b2b0b72fe7517d79015916c1e4592ecffd3bcc45171dba356ef03e1818

  • SSDEEP

    24576:jpRma1YACmHZFVZRo6HYSS9p5abZ4Ffb5MNliPoePloqtkxBk2Xv/p+KY4V:243/HZTTuWZ4Ffsliz7tcbf/f1V

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

wefdwef-34180.portmap.host:34180

Mutex

c4be1726-3f86-4f80-bc7c-0779b06ffeeb

Attributes
  • encryption_key

    97BF1FDCF446A7218FA05296FD8D8F0C41A6B1E7

  • install_name

    Bootstrapper.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Spotify

  • subdirectory

    system32

Targets

    • Target

      Bootstrapper (extract.me)(1).zip

    • Size

      1.3MB

    • MD5

      a3e58f4009dd652a7f9adaa8503bee03

    • SHA1

      678b602ffe105001d5a7372bfedceb16b07e63a9

    • SHA256

      81fa2f00f9af36db4b0add31164aca81e5a01f5498f8a6cb5fad5d5eb2d73000

    • SHA512

      529246877c40387bee7da8b9922e38485c542bf7a45bd3d0d3ee1ceefe5b311e3c66e8b2b0b72fe7517d79015916c1e4592ecffd3bcc45171dba356ef03e1818

    • SSDEEP

      24576:jpRma1YACmHZFVZRo6HYSS9p5abZ4Ffb5MNliPoePloqtkxBk2Xv/p+KY4V:243/HZTTuWZ4Ffsliz7tcbf/f1V

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Drops file in System32 directory

    • Target

      Bootstrapper.exe

    • Size

      3.1MB

    • MD5

      14b871855a9046ef9aedeec80f9c2d86

    • SHA1

      32c0ad34f524748b76c090fc881b75b928341e7e

    • SHA256

      b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940

    • SHA512

      7ada8280b9a5a4dcb427da5f7634335c191645614148ed550dbbbacfaed72e1e99202caedddc02f48dc73d96bf0ecd4d35c2ed2d6206e9b25efba4f29dcc8e96

    • SSDEEP

      49152:3v7lL26AaNeWgPhlmVqvMQ7XSKlfyCC4KgoGdulF8THHB72eh2NT:3vhL26AaNeWgPhlmVqkQ7XSKlfyg

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks