Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    lchs.txt

  • Size

    3.4MB

  • Sample

    240925-txkjbaycjb

  • MD5

    45135fb081a6c819f57b8af5d643fa0a

  • SHA1

    41d53a31c8fd14780eb5ddbed85bc893c537d8b1

  • SHA256

    02c614d149eeba84d88bb0bf9054c63a43edd5ae2993d3cb45b669cd7e590662

  • SHA512

    a013dc1e56ff12ad7a2137de92a2b154bbe1563ef19a7770ad3241d4218946db4811c06b92e06dfee29fd7ff8e7e679474005ccea80abd8dd6ef1476ee39d29c

  • SSDEEP

    98304:/zUa0ps1XffeC+/qLwLi0mRqDZwqRY9GBN/txR:/zBUEmCbLsi0mEDmqR/zR

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

25-09-2024-msc

C2

193.124.33.141:4782

Mutex

b4f4a566-ecdf-4f60-b8dc-d8a1a60e842f

Attributes
  • encryption_key

    DD459BB92A43EF8EEB2FE401C8453F685AECE590

  • install_name

    ChromiumDaemon.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Chromium Extentions Service

  • subdirectory

    ChromiumExtentions

Targets

    • Target

      lchs.txt

    • Size

      3.4MB

    • MD5

      45135fb081a6c819f57b8af5d643fa0a

    • SHA1

      41d53a31c8fd14780eb5ddbed85bc893c537d8b1

    • SHA256

      02c614d149eeba84d88bb0bf9054c63a43edd5ae2993d3cb45b669cd7e590662

    • SHA512

      a013dc1e56ff12ad7a2137de92a2b154bbe1563ef19a7770ad3241d4218946db4811c06b92e06dfee29fd7ff8e7e679474005ccea80abd8dd6ef1476ee39d29c

    • SSDEEP

      98304:/zUa0ps1XffeC+/qLwLi0mRqDZwqRY9GBN/txR:/zBUEmCbLsi0mEDmqR/zR

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks