General

  • Target

    https://filebin.net/pb7xg4p9kwa3p0ss

  • Sample

    241009-1v9hzszamc

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

45.200.148.197:8080

Mutex

b24e0ed5-7881-48ee-84be-d87223f56093

Attributes
  • encryption_key

    561A2408C473BBAB7B3AD5B4005F5481E98E07AC

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

1

C2

microsoft-visualstudiocode.com:7000

Mutex

b87d629c-e061-458a-aab7-6a7d3810225a

Attributes
  • encryption_key

    608C2EF7FA3C5E6905B737821BA5F1BF71A72757

  • install_name

    Client.exe

  • log_directory

    winkey

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      https://filebin.net/pb7xg4p9kwa3p0ss

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Loads dropped DLL

    • Modifies file permissions

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Network Share Discovery

      Attempt to gather information on host network.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks