General

  • Target

    EasyInstallerV1.exe

  • Size

    3.1MB

  • Sample

    241010-bggtdashmf

  • MD5

    c35ba8f6d4a68f31510f76bab5b21229

  • SHA1

    ffb2ad934416ccbd70674dcdc523210d3ce9b998

  • SHA256

    891d304216b3c0f20c3543a111f864e7010190f89162bdee8d34e08e41b27fb6

  • SHA512

    0700e458a11cbd4cd23ce22fb4d14cd6e129a74389851a22e7cdeab4b0de5067f4722858ff43e23637e057283260ceb3bf34deaf4b106340f97b834dffa8dd5e

  • SSDEEP

    49152:ivPI22SsaNYfdPBldt698dBcjH7cw5bRvILoGd+fTHHB72eh2NT:ivA22SsaNYfdPBldt6+dBcjH7cwPmO

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

test

C2

luascript-28488.portmap.host:28488

Mutex

0be49127-6a01-4931-8d7c-84035856367f

Attributes
  • encryption_key

    61968CB017546A59BB42F884A73D1899C4140210

  • install_name

    celexv2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    .

  • subdirectory

    SubDir

Targets

    • Target

      EasyInstallerV1.exe

    • Size

      3.1MB

    • MD5

      c35ba8f6d4a68f31510f76bab5b21229

    • SHA1

      ffb2ad934416ccbd70674dcdc523210d3ce9b998

    • SHA256

      891d304216b3c0f20c3543a111f864e7010190f89162bdee8d34e08e41b27fb6

    • SHA512

      0700e458a11cbd4cd23ce22fb4d14cd6e129a74389851a22e7cdeab4b0de5067f4722858ff43e23637e057283260ceb3bf34deaf4b106340f97b834dffa8dd5e

    • SSDEEP

      49152:ivPI22SsaNYfdPBldt698dBcjH7cw5bRvILoGd+fTHHB72eh2NT:ivA22SsaNYfdPBldt6+dBcjH7cwPmO

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks