General

  • Target

    a034366648b01d614c154f3cbf371916be93bcd3f7a02a2b36209af355beaf79.exe

  • Size

    2.6MB

  • Sample

    241030-wwbwwszpfr

  • MD5

    08d5869bc24d424f76b8b862fb4d3ece

  • SHA1

    542bf39e63aba74891f9b25e3a602cd8e364d1ea

  • SHA256

    a034366648b01d614c154f3cbf371916be93bcd3f7a02a2b36209af355beaf79

  • SHA512

    afcc32c0af3d9bda5eddc4f69911a1aa2b6029a0b071ef81f22e109bdde68ab2638349f97d7f2d605f720c23c9964de95ea1a63beb85f4182c11a68576774aa0

  • SSDEEP

    49152:cR0ZLQZ86dP3eKzjkGxE2KQKsVbr1ZjePG72Gq:rU1I2KQ95d72Gq

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

panel.o7lab.me

C2

panel.o7lab.me:4782

service.o7lab.xyz:4782

underground-cheat.xyz:4782

service.o7lab.com.tr:4782

Mutex

84f88b7e-fbb8-40b1-829a-206ff17d9f29

Attributes
  • encryption_key

    9D5D5E73AB412A75009506F89BC73714AF89F744

  • install_name

    Client.exe

  • log_directory

    WinLog

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      a034366648b01d614c154f3cbf371916be93bcd3f7a02a2b36209af355beaf79.exe

    • Size

      2.6MB

    • MD5

      08d5869bc24d424f76b8b862fb4d3ece

    • SHA1

      542bf39e63aba74891f9b25e3a602cd8e364d1ea

    • SHA256

      a034366648b01d614c154f3cbf371916be93bcd3f7a02a2b36209af355beaf79

    • SHA512

      afcc32c0af3d9bda5eddc4f69911a1aa2b6029a0b071ef81f22e109bdde68ab2638349f97d7f2d605f720c23c9964de95ea1a63beb85f4182c11a68576774aa0

    • SSDEEP

      49152:cR0ZLQZ86dP3eKzjkGxE2KQKsVbr1ZjePG72Gq:rU1I2KQ95d72Gq

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks