Overview

overview

10

Static

static

10

Spoofers/Cleaner.exe

windows10-ltsc 2021-x64

10

Spoofers/P...er.exe

windows10-ltsc 2021-x64

10

Resubmissions

30-10-2024 00:08

241030-ae58hsself 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Spoofers.7z

  • Size

    8.2MB

  • Sample

    241030-ae58hsself

  • MD5

    cb7960f8fb08dc1d63269e205e490b03

  • SHA1

    184d929681a0d5ae239f148214ee5d070b1adc69

  • SHA256

    4fa37e700c2b9ee257995cc82ad1f02b02bf5b031a5fda15ff34277c82239d8a

  • SHA512

    852ea8344772464f4bdbca2108a33bc156b2c7d99ff40588a07e98c055a996567496196f5f1fe7512a1d8cb7a8e132942f7c1a157ad45fe6314838c13ed5eb12

  • SSDEEP

    196608:yW6AJ7/yLztIl+W2KPmH84G0pD4VdsR5CloWINqDlIn9FRDRf:SA1/yLKH29c4/V2e5QoWINAIn93DN

Score
10/10
blankgrabberquasaroffice04discoveryevasionexecutionspywaretrojanupx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.28:4782

Mutex

03ef2b9a-5389-4312-b3d3-9b6f68cc5386

Attributes
  • encryption_key

    F8A900CD75D848E74023B3A66FA8AA5469C97692

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    ahhaa

  • subdirectory

    SubDir

Targets

    • Target

      Spoofers/Cleaner.exe

    • Size

      7.5MB

    • MD5

      ba5b980e4d8a2229836b393860cc3b4c

    • SHA1

      b08af0140ef0e54fb99d077b08d97ec5c8ebd52f

    • SHA256

      89f481a8c2b2b29afbdb45e2bbe01b24346a118aa3775e6a7a28537a54a85e15

    • SHA512

      bff2841fb6d166abec6a1d3f9ab1fb777f3e1f912e47dea650e4119919310a10cf0399d3d23d4dc700890e327b5b2f8d99fa28c317fb11e56582e83b53a28a5a

    • SSDEEP

      196608:YGhhOourErvI9pWjg/Qc+4o673pNrabenyzWtPMYnNcs9:HburEUWjZZ4dDLIeyzWtPTNz9

    Score
    10/10
    discoveryevasionexecutionupx

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

      evasion

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

    • Target

      Spoofers/PermWoofer.exe

    • Size

      3.1MB

    • MD5

      b4ac68d3c6cc89ae97e519b9a7241bba

    • SHA1

      ced8a4dec2238bc5f2b7ca9ef9fdac0a6cd9108f

    • SHA256

      03bc2c340a1081e1521a5c4b92c38756f4de234ac1b1a578556d83737972e343

    • SHA512

      8870741c08574945ea43055e6031394af96290348e4e55d3570f937020c49020fc7d61517d9ab9dd42fc65066ba113cb8a31f2d45cff7f7301f8e865d52aa1d5

    • SSDEEP

      49152:Kvkt62XlaSFNWPjljiFa2RoUYIibRJ60bR3LoGdjTHHB72eh2NT:Kv462XlaSFNWPjljiFXRoUYIibRJ6+

    Score
    10/10
    quasaroffice04spywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Executes dropped EXE

    behavioral2

MITRE ATT&CK Enterprise v15

Tasks