General

  • Target

    pngratbuilder.exe

  • Size

    3.3MB

  • Sample

    240817-t7dhrawajf

  • MD5

    92a6143dcbd8a902f2035a80356f080e

  • SHA1

    286bb5b223228a8f5d63ad41f7bde51df0fb4886

  • SHA256

    1d36df8260d35b6d903a57018041527a74cf3a44a4203ed11244cb1a24f79e17

  • SHA512

    eae2f288b8148f6c792fcf4a8c2726173c70f66767678f97129637bc5d40e6f20f05e2ecdd451451d5b2e5f4c9e799996c3b0b943ab75290fa19d52549fe687f

  • SSDEEP

    49152:uv3go2QSaNpzyPllgamb0CZof/JskG3FarpLoGdITHHB72eh2NT:uvQo2QSaNpzyPllgamYCZof/Ju30

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

image

C2

26.252.166.137:4782

192.168.56.1:4782

192.168.1.110:4782

2001:14ba:4850:e000::1a:4782

2001:14ba:4850:e000:3748:5dbb:3d1f:7a8c:4782

Mutex

386e98fd-9d46-4ec0-a3cf-9d633def31f8

Attributes
  • encryption_key

    887503DA77A68440573286074E9EF40CA76D926E

  • install_name

    ImageLoader.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Shell Startup

  • subdirectory

    Images

Targets

    • Target

      pngratbuilder.exe

    • Size

      3.3MB

    • MD5

      92a6143dcbd8a902f2035a80356f080e

    • SHA1

      286bb5b223228a8f5d63ad41f7bde51df0fb4886

    • SHA256

      1d36df8260d35b6d903a57018041527a74cf3a44a4203ed11244cb1a24f79e17

    • SHA512

      eae2f288b8148f6c792fcf4a8c2726173c70f66767678f97129637bc5d40e6f20f05e2ecdd451451d5b2e5f4c9e799996c3b0b943ab75290fa19d52549fe687f

    • SSDEEP

      49152:uv3go2QSaNpzyPllgamb0CZof/JskG3FarpLoGdITHHB72eh2NT:uvQo2QSaNpzyPllgamYCZof/Ju30

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks