Overview

overview

10

Static

static

1

e29b86ad06...00.lnk

windows7-x64

10

e29b86ad06...00.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e29b86ad063e26d4f88cc123f784983f542357cf922f296813b615c3d0d80a00.lnk

  • Size

    2KB

  • Sample

    241103-emtxnsvcqj

  • MD5

    04e779f16953e15b609dfab5be6ebd26

  • SHA1

    d0e0b98da3f2ee3b0f8346d511436891380dd4f6

  • SHA256

    e29b86ad063e26d4f88cc123f784983f542357cf922f296813b615c3d0d80a00

  • SHA512

    4e1967297fb67949b14b16fe8f1d8292360b94602e9da4871476bd7bba84c2cc013bc1b1cedff029c8b01b81f357657919cddcc030ad783a4e61a8db2e5b564b

Score
10/10
quasarvtroydiscoveryexecutionspywaretrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://45.149.241.169:5336/ghsjfsgfjsyhsfhzgbdfbgzgfb/yugygfyjsbdfoesrjfzbhffbserhbwdewbrtsnbdjkfbrhjgvghvhgvhgvhgvHfgcNchgfcnhchgchgcnGfcngcgdcngchcngch/jhbhfbjadhghjvgfcxhhfcjtgvkhdfskjdkbzhdfhmzdkydbfvhzdfjgvhzvg/tfvjtcfgchgcgcHcgcftjcgtygvgFtrdcjfcgkhvGcjfcxhfcjgVK/chfgcx.exe

Extracted

Family

quasar

Version

1.3.0.0

Botnet

VTROY

C2

31.13.224.12:61512

31.13.224.13:61513
Mutex

QSR_MUTEX_4Q2rJqiVyC7hohzbjx

Attributes
  • encryption_key

    7Vp2dMCHrMjJthQ2Elyy

  • install_name

    downloads.exe

  • log_directory

    Logs

  • reconnect_delay

    5000

  • startup_key

    cssrse.exe

  • subdirectory

    downloadupdates

Targets

    • Target

      e29b86ad063e26d4f88cc123f784983f542357cf922f296813b615c3d0d80a00.lnk

    • Size

      2KB

    • MD5

      04e779f16953e15b609dfab5be6ebd26

    • SHA1

      d0e0b98da3f2ee3b0f8346d511436891380dd4f6

    • SHA256

      e29b86ad063e26d4f88cc123f784983f542357cf922f296813b615c3d0d80a00

    • SHA512

      4e1967297fb67949b14b16fe8f1d8292360b94602e9da4871476bd7bba84c2cc013bc1b1cedff029c8b01b81f357657919cddcc030ad783a4e61a8db2e5b564b

    Score
    10/10
    quasarvtroydiscoveryexecutionspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks