Overview

overview

10

Static

static

1

184d7427be...43.lnk

windows7-x64

10

184d7427be...43.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    184d7427be227ca0505c4baf5a9d3756534f399b052309e19ba819d06d03a543.lnk

  • Size

    2KB

  • Sample

    241102-dbn2lsxhqf

  • MD5

    4a98c5bbf1a94992ec72858d3327a28e

  • SHA1

    0fa914c44bdcb63d3631d5ec30cebb5047d12c7a

  • SHA256

    184d7427be227ca0505c4baf5a9d3756534f399b052309e19ba819d06d03a543

  • SHA512

    e60fb58d1f141d3c2ea99bf39d3b0dd872bebc05efa0cfa630e783f4d90b624084988c66621adc4d7dc6434b1c707d1d6c7c1f36ee2fa2e36fefc47b9a7d6ba7

Score
10/10
quasarvtroydiscoveryexecutionspywaretrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://45.149.241.169:5336/ghsjfsgfjsyhsfhzgbdfbgzgfb/yugygfyjsbdfoesrjfzbhffbserhbwdewbrtsnbdjkfbrhjgvghvhgvhgvhgvHfgcNchgfcnhchgchgcnGfcngcgdcngchcngch/jhbhfbjadhghjvgfcxhhfcjtgvkhdfskjdkbzhdfhmzdkydbfvhzdfjgvhzvg/tfvjtcfgchgcgcHcgcftjcgtygvgFtrdcjfcgkhvGcjfcxhfcjgVK/chfgcx.exe

Extracted

Family

quasar

Version

1.3.0.0

Botnet

VTROY

C2

31.13.224.12:61512

31.13.224.13:61513
Mutex

QSR_MUTEX_4Q2rJqiVyC7hohzbjx

Attributes
  • encryption_key

    7Vp2dMCHrMjJthQ2Elyy

  • install_name

    downloads.exe

  • log_directory

    Logs

  • reconnect_delay

    5000

  • startup_key

    cssrse.exe

  • subdirectory

    downloadupdates

Targets

    • Target

      184d7427be227ca0505c4baf5a9d3756534f399b052309e19ba819d06d03a543.lnk

    • Size

      2KB

    • MD5

      4a98c5bbf1a94992ec72858d3327a28e

    • SHA1

      0fa914c44bdcb63d3631d5ec30cebb5047d12c7a

    • SHA256

      184d7427be227ca0505c4baf5a9d3756534f399b052309e19ba819d06d03a543

    • SHA512

      e60fb58d1f141d3c2ea99bf39d3b0dd872bebc05efa0cfa630e783f4d90b624084988c66621adc4d7dc6434b1c707d1d6c7c1f36ee2fa2e36fefc47b9a7d6ba7

    Score
    10/10
    quasarvtroydiscoveryexecutionspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks