Resubmissions

20/08/2024, 01:41

240820-b37xpaxdpe 1

20/08/2024, 00:39

240820-aztp8aydjq 10

General

  • Target

    https://gofile.io/d/W8xOFo

  • Sample

    240820-aztp8aydjq

Malware Config

Extracted

Family

quasar

Attributes
  • encryption_key

    3F319A19AC5FD2CF97521E439597AF0457B5E047

  • reconnect_delay

    3000

Targets

    • Target

      https://gofile.io/d/W8xOFo

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks