General

  • Target

    03778d811f241e83ccad830372313b3c.zip

  • Size

    6.0MB

  • Sample

    240901-sajstsvapa

  • MD5

    cb5f90bc4f6b3efb5a8d8d96919922fb

  • SHA1

    2957561a29587d510fd9a40e479416c80203cd6c

  • SHA256

    75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f

  • SHA512

    80d32637b5f660704b182c94a17a668aad0686b5fe3c7aa70dc66b1d9c7815d7e73ecbe29ce0cec09ce9ad421dce58f24a723d48acd4f2fa486fc913412dd027

  • SSDEEP

    98304:Yvo1nQ0HP4N8GMZbAOr6/uWM3OY6vqQMOpoT4YOYDGAZfkSJJVjnhRD2wOMTjnXK:SoJQ+P4be9r3z6iQMuYDTKKDjnhpTLXK

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Chrome

C2

live.nodenet.ml:8863

Mutex

754ce6d6-f75b-4c6f-964c-3996e749369e

Attributes
  • encryption_key

    8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D

  • install_name

    chrome.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    System

  • subdirectory

    chrome

Targets

    • Target

      95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc

    • Size

      6.1MB

    • MD5

      03778d811f241e83ccad830372313b3c

    • SHA1

      11962399abf7fc0981f324e4aa5271f36f50c5ba

    • SHA256

      95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc

    • SHA512

      2e17b881491e2cc9759dde852198622956682327abcc20519ab7099e25b22252a167cd7a4e6e90651a8b44b22c89a52c8fd004a62043f8fa30fe523302f6674f

    • SSDEEP

      98304:ulFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uWJuMg53HRVu7vHDpS1IqBRU7kCs2q

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks