General

  • Target

    ExeFile (351).exe

  • Size

    1.0MB

  • Sample

    240820-rjqr3awdph

  • MD5

    dff805106f7e22c65887f4b40ae63af7

  • SHA1

    9deda5715cfd27bce5d07e8c9da3888652239030

  • SHA256

    632ebbd71c57497b70d5d0d270737706af23a00a789c7b53c13110252a35ba7d

  • SHA512

    43c1bacfb18a767ca9f7d8ca34ab964abde0cb026d34c29adcc2d70f52b9e4055cfaf8c2d4f2ee9079ba3cc11fa4d3dc62d2ece9a624c6cb19db5ffed0c563d3

  • SSDEEP

    24576:uHMwUDPHMYHM62oEHMxszlt0que+gl02xJ/7UbPv5LvE9HM:yI7bwoYzv0B2lxJjuPWd

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Image1

C2

onemilliondollars.duckdns.org:4781

185.165.153.138:4781

fivemilliondollars.duckdns.org:4781

Mutex

MUTEX_hcyE6Pmu2wtUGYAlgy

Attributes
  • encryption_key

    5f9oz3a4d9d5TlQM1xmm

  • install_name

    winlog.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Intel Corpration

  • subdirectory

    SubDir

Targets

    • Target

      ExeFile (351).exe

    • Size

      1.0MB

    • MD5

      dff805106f7e22c65887f4b40ae63af7

    • SHA1

      9deda5715cfd27bce5d07e8c9da3888652239030

    • SHA256

      632ebbd71c57497b70d5d0d270737706af23a00a789c7b53c13110252a35ba7d

    • SHA512

      43c1bacfb18a767ca9f7d8ca34ab964abde0cb026d34c29adcc2d70f52b9e4055cfaf8c2d4f2ee9079ba3cc11fa4d3dc62d2ece9a624c6cb19db5ffed0c563d3

    • SSDEEP

      24576:uHMwUDPHMYHM62oEHMxszlt0que+gl02xJ/7UbPv5LvE9HM:yI7bwoYzv0B2lxJjuPWd

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks