Overview

overview

10

Static

static

10

Client-built.exe

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • Sample

    241104-ehks7stdpm

  • MD5

    f5b93af3ee1b64dacd2bac9ba4af9b27

  • SHA1

    1f2a038199a71a2b917dca4dff2f5fac5e840978

  • SHA256

    48d4fde21b28f0614fdf124f83f5594bddc13292f21b775da58b017385a49b01

  • SHA512

    83703b0f567723abe3d6b34bd419be5df3475e049ae8893993fec017da9a420cd875184c570bdffbfc0bccac662762991885dea8ebcc2af172b3aac2fb00a302

  • SSDEEP

    49152:mv2I22SsaNYfdPBldt698dBcjHQzRJ6TbR3LoGd/oobTHHB72eh2NT:mvb22SsaNYfdPBldt6+dBcjHQzRJ6FA

Score
10/10
quasaroffice04credential_accessdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Inversin-43597.portmap.host:43597

Mutex

80329fd2-f063-4b06-9c7e-8dbc6278c2a3

Attributes
  • encryption_key

    744EA1A385FEBC6DA96387411B7000D77E66B075

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    java updater

  • subdirectory

    SubDir

Targets

    • Target

      Client-built.exe

    • Size

      3.1MB

    • MD5

      f5b93af3ee1b64dacd2bac9ba4af9b27

    • SHA1

      1f2a038199a71a2b917dca4dff2f5fac5e840978

    • SHA256

      48d4fde21b28f0614fdf124f83f5594bddc13292f21b775da58b017385a49b01

    • SHA512

      83703b0f567723abe3d6b34bd419be5df3475e049ae8893993fec017da9a420cd875184c570bdffbfc0bccac662762991885dea8ebcc2af172b3aac2fb00a302

    • SSDEEP

      49152:mv2I22SsaNYfdPBldt698dBcjHQzRJ6TbR3LoGd/oobTHHB72eh2NT:mvb22SsaNYfdPBldt6+dBcjHQzRJ6FA

    Score
    10/10
    quasaroffice04credential_accessdiscoveryspywarestealertrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Executes dropped EXE

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks