Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N

  • Size

    9KB

  • Sample

    240930-2nlzsasfld

  • MD5

    a9ee41f13671a27306e8a3e1dd16d8c0

  • SHA1

    75b9c920227278bdf387fc029c6547442fd2aeee

  • SHA256

    ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70

  • SHA512

    82a97a4376f6a7096518467067d0066385cda0edb6d5480136ba0b706fdf57edb69bdafe1233d8fd99c0aa4c16618206f636a52d7271a6a2b8ccb80b78d34186

  • SSDEEP

    96:tDM/Qfwt9LSwlo7s5XjL3EOLSrLXSfcgQWChThghThGJ6cseaB4KWsJP/LyNlQzj:5MkKLSgNTL3pLSrLCNM6caB4KZuly

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Hacked

C2

1.tcp.sa.ngrok.io:20545

Mutex

11be2b79-6682-4e70-8daf-902c6a4c9c43

Attributes
  • encryption_key

    5E9246C5AB842E866E54BCF3379BFBE1677545A8

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    5000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N

    • Size

      9KB

    • MD5

      a9ee41f13671a27306e8a3e1dd16d8c0

    • SHA1

      75b9c920227278bdf387fc029c6547442fd2aeee

    • SHA256

      ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70

    • SHA512

      82a97a4376f6a7096518467067d0066385cda0edb6d5480136ba0b706fdf57edb69bdafe1233d8fd99c0aa4c16618206f636a52d7271a6a2b8ccb80b78d34186

    • SSDEEP

      96:tDM/Qfwt9LSwlo7s5XjL3EOLSrLXSfcgQWChThghThGJ6cseaB4KWsJP/LyNlQzj:5MkKLSgNTL3pLSrLCNM6caB4KZuly

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks