General

  • Target

    8e4b03326da8410bfdf148a4e8f16d30N.exe

  • Size

    1.6MB

  • Sample

    240806-lncs4szdjg

  • MD5

    8e4b03326da8410bfdf148a4e8f16d30

  • SHA1

    70f5283a78c6b2299ce634e46a53da08ebda6a3f

  • SHA256

    8f184572b6aa8674cb0f4c5063268f2270b992e31b9f6f970a96e384e2b2462f

  • SHA512

    a256a9bc2739d7b9f6dcd631438ec62c39e084f4e40e474501a1ad1c9d277fe14258fe84cd434a51751011028413ac7d5261cbe6208baf7e59cda798ebb03513

  • SSDEEP

    24576:hEeqQq3K9YIrFiM6MKDXAW5cXRpRyhoVbbnbiG+Jmjdeex9QHJQj6eR4d286ox:hEuq6KIPPYcB72mZ33LZ4d36K

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.56.1:4782

Mutex

cd908738-16a9-4ffb-bb3c-998c796dbba0

Attributes
  • encryption_key

    9ADFCC480992B53D083A408F972D6494741286BE

  • install_name

    Windows Defender.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      8e4b03326da8410bfdf148a4e8f16d30N.exe

    • Size

      1.6MB

    • MD5

      8e4b03326da8410bfdf148a4e8f16d30

    • SHA1

      70f5283a78c6b2299ce634e46a53da08ebda6a3f

    • SHA256

      8f184572b6aa8674cb0f4c5063268f2270b992e31b9f6f970a96e384e2b2462f

    • SHA512

      a256a9bc2739d7b9f6dcd631438ec62c39e084f4e40e474501a1ad1c9d277fe14258fe84cd434a51751011028413ac7d5261cbe6208baf7e59cda798ebb03513

    • SSDEEP

      24576:hEeqQq3K9YIrFiM6MKDXAW5cXRpRyhoVbbnbiG+Jmjdeex9QHJQj6eR4d286ox:hEuq6KIPPYcB72mZ33LZ4d36K

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks