General

  • Target

    3b91d7f0be55606bcdf71b37a18f34c298156b12181ff7c944fb7a1818916736N

  • Size

    7.6MB

  • Sample

    241007-fhmhgawhrm

  • MD5

    2b0f4ed458655cb0dbc66cf2a1f6a650

  • SHA1

    905121961d59b36a8eba46b02dcf9b48c68baae4

  • SHA256

    3b91d7f0be55606bcdf71b37a18f34c298156b12181ff7c944fb7a1818916736

  • SHA512

    1741a6881e9e9a24e8f4e50ee28dd9a00e47156ae987c4bd25348504dd669e2bd4f6685607275419dc7af42bbaa0ff53306a91bad892c2a508797a8fe9740fad

  • SSDEEP

    196608:IiyGR6yx+w3u7zPJKqCyBDpQyNCD+l7ggmdzrK:IiHR6yx5uJKqCyfnNCigPZO

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

new

C2

caidume1368.ddns.net:8848

Mutex

QSR_MUTEX_7rJKh7823LOXhq62Ll

Attributes
  • encryption_key

    XOrsMOPj48itZ7EYR3g9

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    System

  • subdirectory

    SubDir

Targets

    • Target

      3b91d7f0be55606bcdf71b37a18f34c298156b12181ff7c944fb7a1818916736N

    • Size

      7.6MB

    • MD5

      2b0f4ed458655cb0dbc66cf2a1f6a650

    • SHA1

      905121961d59b36a8eba46b02dcf9b48c68baae4

    • SHA256

      3b91d7f0be55606bcdf71b37a18f34c298156b12181ff7c944fb7a1818916736

    • SHA512

      1741a6881e9e9a24e8f4e50ee28dd9a00e47156ae987c4bd25348504dd669e2bd4f6685607275419dc7af42bbaa0ff53306a91bad892c2a508797a8fe9740fad

    • SSDEEP

      196608:IiyGR6yx+w3u7zPJKqCyBDpQyNCD+l7ggmdzrK:IiHR6yx5uJKqCyfnNCigPZO

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Built.exe

    • Size

      7.5MB

    • MD5

      f6c1ca73d58bee19392afdf533bac4b3

    • SHA1

      35e4a258a6f3834e7a3164d929b6333ba91ab9d9

    • SHA256

      ea7ff4296f265854109ce36e1cd4e1d4b9afd94fe5d22392421da5b07c9f5e32

    • SHA512

      714fdc94576245696b9c7948cc997a536380e54b5a2b2342321e3ef50ae8d413ab91c71774510defe28245b7e7d6d410905a76922cc3da4305c772a3043a8435

    • SSDEEP

      196608:EjgVVEugwfI9jUC2gYBYv3vbW2+iITx1U6nu:XVVEu/IH2gYBgDWJTnzu

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Client-built.exe

    • Size

      348KB

    • MD5

      fa9b24d2daf3f8cf5e8fb84a4b0cd197

    • SHA1

      03cfb24c35b7f79fd1ce716dd2402ca56d09a349

    • SHA256

      f429a38b014770d38d3c95aca9e5169c6d2aee6731ae6dacf2b8d2911bdb0827

    • SHA512

      987beefe76c56a58ff279ca08b5f702cdf5bfed3d64c47ef8c041b4a10f5dd9b475f1cbc856b3a0ae55c310bde67b672a70a11d5b961608910d7b22d2d5bc5b6

    • SSDEEP

      6144:gN6bPXhLApfp04t/+qckvubgvbIRw/9fVng:0mhApTt/+ctvbiw/9flg

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.