General

  • Target

    not a bomb.zip

  • Size

    1.2MB

  • Sample

    240806-p1ttyazbmr

  • MD5

    09f7f885cd740d1c7b8adb3e806318bb

  • SHA1

    a3c8226ad60c0adf7820881903900e41bf2954a2

  • SHA256

    6f20309b4efae0c6b0e0ea1833da21b47464b4cb52b0feae0ca0a3c10da82953

  • SHA512

    2ce9a16ee36ea2ba0ed587788ad8fba21cafed3cb1157c87d83c1bd21cf1130d9b3710c27837efff0dfc037a2de657142171b102b341e565c990218ef560f996

  • SSDEEP

    24576:g5wmhcnpEpAidGFuy9idk3EIg/oSxqyqmC4Qy5d8MVhEwEs5hlveQb:H8cnpEqidGFX986/gtbf7Tl5jeQb

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

gakimyny-40562.portmap.host:40562

Mutex

46e7ef3b-8d62-4396-a1b6-7d8a2353e907

Attributes
  • encryption_key

    4CCD03EE2B3F5EBE1286E32B25E48A9D2C6CC0F5

  • install_name

    incognito.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    CrashHandler

  • subdirectory

    SubDir

Targets

    • Target

      not a bomb.exe

    • Size

      3.1MB

    • MD5

      0fd18e67cf1c40302f02f939ba40e410

    • SHA1

      fcf512ef2d1b04931a8b5772086124002ef89212

    • SHA256

      431a5f0faa11e6e74adfca618ca57ba1d4e2935a992e66972578bff8784800a9

    • SHA512

      20cce72138a39730f9033ed1ca1b95aa66e5b203b097e18352feb2491999c5660141875bcb2aabf1857c3f49e9f705f9157c0507f49b30457861dc381cbe520c

    • SSDEEP

      49152:rvDI22SsaNYfdPBldt698dBcjH4x2EDwOk/Jx1oGdhTHHB72eh2NT:rv822SsaNYfdPBldt6+dBcjH4xsj

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks