Overview

overview

10

Static

static

3

sender_Leaked.exe

windows7-x64

7

sender_Leaked.exe

windows10-2004-x64

10

sender.pyc

windows7-x64

3

sender.pyc

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEW__S3NDER__LEAKED.zip

  • Size

    10.4MB

  • Sample

    241106-qf6tfa1epq

  • MD5

    f5cfc281c4c6abd820fd4445095432a6

  • SHA1

    4dcf4338236b253de7c6cf124d1fd0793d35fb4c

  • SHA256

    7625087fb31f735d1570fd75dc299ed7bcaa7d7abb20304a1c54a201b327695a

  • SHA512

    0913d7420e40e26814065f35d50590bb9615bfc2ebcc9368d08719b4f6810826d7df7278d03e4832b9935d5a9d388f77e91a8b73312f1b381f842e1b38b593b3

  • SSDEEP

    196608:woBXTPEGhSpDk9liuJIW3DVzt3T3FzoFx1KMAbNXNkuO9V2rNbskksMIN9:VThSRoisIW5Z3TJo31KxXNNR5nksFN9

Score
10/10
quasarofficedefense_evasiondiscoveryexecutionspywaretrojanupx

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

45.200.149.95:6669

Mutex

6HcAGCOypVIi6hl6rR

Attributes
  • encryption_key

    3Fmq36RtzQkpmjAWxAFM

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    DISC

  • subdirectory

    SubDir

Targets

    • Target

      sender_Leaked.exe

    • Size

      10.4MB

    • MD5

      ec24824b426d96f1137c664f23309a97

    • SHA1

      0eb8f4d89dc4ac3824d0ce3a4d872c2ab0d52b38

    • SHA256

      bd129bf2a26437a068b7486b46ca77d6f45786ac9f400c94678c0fdd15759a42

    • SHA512

      14a2701c7551232da3c1d5d9cb18cf76f6aed52e046b6fd5aed9fd65bfa9058090a95331265f550d677b1c9947194f4b2e035ee2a8c9d7faa7d4b109e6c15738

    • SSDEEP

      196608:XHdqeGkP/DnwZsupqDA1jV19v7+dPB68K1T59Y8pC/Uhh6ipc+46h:NFrn8sOqkFV1B+JB6F59bpP7xc+ph

    Score
    10/10
    defense_evasiondiscoveryexecutionupxquasarofficespywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      sender.pyc

    • Size

      209KB

    • MD5

      de4377da7ee52ca0d3b6cd153fdf8eec

    • SHA1

      21c8bbc4aae2619f21db7b3c613af9e65b94495b

    • SHA256

      c8e724183ae53e855e3ba803b871f6d1748cfef6ab07f25ecf499c174cc6b684

    • SHA512

      6700475b9e54555540b76b83fa5564a69e5dd0faf771f5574e6ef8e4b34334e88f4a3e406a882aa7190d80ba4ee60246e812bdb599ae3a7cf357fee9ffb30b85

    • SSDEEP

      6144:Cysg4eUtO6MVBZ6J2+gpYHuSHbG3xcXzNw:Cysg4TtO6CC2JYOSHbGB4w

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks