General

  • Target

    Vape-V4-4.10 (FIXED).rar

  • Size

    24.0MB

  • Sample

    241030-ths7xayjhl

  • MD5

    01abe0a83dfa8d0696e922865209463f

  • SHA1

    8e8b0314999a2bdae9f741667af0f8b2861f81aa

  • SHA256

    88745950cd5b50bb6dda601dd8913a7e1c1d5dca49468c6c65107f2caface85f

  • SHA512

    e669bb776968c2e49d06d016fef2a201925fc403279daa66e62e361d360f573577ada2888f3911b51a7ec6ce2729f9873870c0f03131fd3dfa7a855f51b67fe7

  • SSDEEP

    393216:p1YXyOJmpS17iGtDmm67eBwFsCwK+39djZ0X7sX0GyLQIItNzo5y8bxGs:vhORdp67LFsCwKK9dV0oX0RLQIItNOpz

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v2.2.6 | Tinsler

C2

throbbing-mountain-09011.pktriot.net:22112

167.71.56.116:22112

throbbing-mountain-09011.pktriot.net:5050

Mutex

cf16a257-7d89-4296-8384-8fca3dbb568f

Attributes
  • encryption_key

    045F98A287DD47B8B5C074D234995A2C5A913042

  • install_name

    .exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    1000

Targets

    • Target

      Vape-V4-4.10 (FIXED)/Vape4DLL.dll

    • Size

      5.0MB

    • MD5

      6990d8eccbb8bbc6b5835ba7d94ffe4c

    • SHA1

      48ca050052c5db2fe8861a9eadbf2d6689e924cd

    • SHA256

      1634d50dc2263dff2305de904ddf903467a6edcc464a778fcf77e4ca8df8365f

    • SHA512

      d41b89be7a35b3738c1518fd93b5f8ace6c69fea66ca33cfa38ebf22a9c27967b37f70e10e8afd59c171a72a0b4a087bce5ee022eb009a8f17e368df32559953

    • SSDEEP

      98304:IIo/Y7mgTm05AwJHE6hnRVL6MgbscSEd17E7GV3td:INg7PAmkOvgoXYI7GVP

    Score
    1/10
    • Target

      Vape-V4-4.10 (FIXED)/vape-loader.jar

    • Size

      5.7MB

    • MD5

      942b440da0b181b775771d1543084f30

    • SHA1

      666ac2ae1d22c0ad657d89e2074044d27b9caa18

    • SHA256

      5fdcb68e0b267332bf806b1e465c0e55eb2b8140c932c2b8856de804c83f1a55

    • SHA512

      41d05c4c12696a0c70c3640ba282154d5987cf66742999c5ecfdcfb66e62c4276c4a8afdc7f98211a195441184057b0ca9ed4a7526950987671db9f8b99214e6

    • SSDEEP

      98304:CDbPd7m1KUTz0KPXX2jPlSS1i3oG7bMDtILXHdGE9EWaDMg0gzAmUnlJ5ruI+69P:2LpJUTN/oPES1i3oG0qJVGWmMgxzAn5L

    Score
    1/10
    • Target

      Vape-V4-4.10 (FIXED)/vape.bat

    • Size

      12.5MB

    • MD5

      cf5b412ffc3ce43cd7ddce602fc67f56

    • SHA1

      221dfcd0868158f676c472d8a5bcf9647f0c7d51

    • SHA256

      84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724

    • SHA512

      695489d3b02863c382dc4b044bd80825b3f46eadfe4647619a0036da7ab3405b7925e89a457b19ee57995a59dcf8d5f9df237cd4d5d59a6cee3914aeaee2a8ef

    • SSDEEP

      49152:mmlB6XvIxKx/znMtw4e/x4dA+ilmm5C5rsw1y1lkGxJW5RXLnfaWixbVoZmb0nYk:b

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes itself

    • Executes dropped EXE

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks