General

  • Target

    b8fc2efcc33d3160f38fcb6b39319e6a.exe

  • Size

    774KB

  • Sample

    241102-hj21nazfmh

  • MD5

    b8fc2efcc33d3160f38fcb6b39319e6a

  • SHA1

    a61413a5b6c19b4a388e6c89aaa9304c657b3e08

  • SHA256

    3df20b1c9806c327d72824f1b9a4ffcbe702d152fbf11fca42a36c862cbafd0a

  • SHA512

    ba4ef7ec5dd7b9ad8ec49ef73315bded8ecc72212b11e3a1384b6d4f3f264867312cda41268a8d1df6fc8c3caa63813c15aa4ff29f0324360a95d59de3456d3b

  • SSDEEP

    24576:XBx+Lv/QRiHCywDv2JIh7tJIYZFk+XJJ:xeXBm2JIDJNDXJ

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

VTROY

C2

31.13.224.12:61512

31.13.224.13:61513

Mutex

QSR_MUTEX_4Q2rJqiVyC7hohzbjx

Attributes
  • encryption_key

    7Vp2dMCHrMjJthQ2Elyy

  • install_name

    downloads.exe

  • log_directory

    Logs

  • reconnect_delay

    5000

  • startup_key

    cssrse.exe

  • subdirectory

    downloadupdates

Targets

    • Target

      b8fc2efcc33d3160f38fcb6b39319e6a.exe

    • Size

      774KB

    • MD5

      b8fc2efcc33d3160f38fcb6b39319e6a

    • SHA1

      a61413a5b6c19b4a388e6c89aaa9304c657b3e08

    • SHA256

      3df20b1c9806c327d72824f1b9a4ffcbe702d152fbf11fca42a36c862cbafd0a

    • SHA512

      ba4ef7ec5dd7b9ad8ec49ef73315bded8ecc72212b11e3a1384b6d4f3f264867312cda41268a8d1df6fc8c3caa63813c15aa4ff29f0324360a95d59de3456d3b

    • SSDEEP

      24576:XBx+Lv/QRiHCywDv2JIh7tJIYZFk+XJJ:xeXBm2JIDJNDXJ

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks