General

  • Target

    9683ae49df4611b5c3bf4b64091490e0N.exe

  • Size

    3.1MB

  • Sample

    240820-py62gswekp

  • MD5

    9683ae49df4611b5c3bf4b64091490e0

  • SHA1

    cf5b51f57ef7f990c42d6d541d1c1e8a7015f70e

  • SHA256

    0ee5e2f4649aed44cebe6872d5b7c18040aa22fbf21e1b5ca6bc3d4748f9b0cc

  • SHA512

    9858f67cf0b77a33dca3fa6fb9adfc209c86c9b93cd325922c664e48637c9de318fd2f8097bd1a504ba36d3a64cc0b8653241d565e1dd994d0f76c860bf394d9

  • SSDEEP

    49152:Gv2I22SsaNYfdPBldt698dBcjHsfRJ6VbR3LoGd3zTHHB72eh2NT:Gvb22SsaNYfdPBldt6+dBcjHsfRJ6n

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Alex

C2

7.tcp.ngrok.io:21630

alexthedns.com:4444

Mutex

7705a472-de11-422c-bb9d-a95b63236ca3

Attributes
  • encryption_key

    6DA001BD6C6276995240688DD6532A416FADB825

  • install_name

    winrom.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    winrom.exe

  • subdirectory

    winrom

Targets

    • Target

      9683ae49df4611b5c3bf4b64091490e0N.exe

    • Size

      3.1MB

    • MD5

      9683ae49df4611b5c3bf4b64091490e0

    • SHA1

      cf5b51f57ef7f990c42d6d541d1c1e8a7015f70e

    • SHA256

      0ee5e2f4649aed44cebe6872d5b7c18040aa22fbf21e1b5ca6bc3d4748f9b0cc

    • SHA512

      9858f67cf0b77a33dca3fa6fb9adfc209c86c9b93cd325922c664e48637c9de318fd2f8097bd1a504ba36d3a64cc0b8653241d565e1dd994d0f76c860bf394d9

    • SSDEEP

      49152:Gv2I22SsaNYfdPBldt698dBcjHsfRJ6VbR3LoGd3zTHHB72eh2NT:Gvb22SsaNYfdPBldt6+dBcjHsfRJ6n

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks