General

  • Target

    mielda loco 12.exe

  • Size

    3.1MB

  • Sample

    241107-f97bysvrgs

  • MD5

    4ae7ab9b981922837aae1c86c7f726a3

  • SHA1

    1783e0788fb2a103d71bc9a05ae2fb85c0d70ee9

  • SHA256

    b1b8ad9032b829e2ac3956ce8f302745802cd2d5ae686c700796e2f2ee81b0f7

  • SHA512

    79c4bf39ae1761414b5f37186c2483a4b8755168824d6e783ea9cab26e7c0118f391b6417c622b65ea3ac3924ae745a6abe4838ca1d87671898ad90ae9a18e58

  • SSDEEP

    49152:Cv+lL26AaNeWgPhlmVqvMQ7XSK6v9y/ZBxOPoGdexMTHHB72eh2NT:CvuL26AaNeWgPhlmVqkQ7XSK64/M2

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Cristopher11sa-62565.portmap.host:62565

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes
  • encryption_key

    AEA258EF65BF1786F0F767C0BE2497ECC304C46F

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      mielda loco 12.exe

    • Size

      3.1MB

    • MD5

      4ae7ab9b981922837aae1c86c7f726a3

    • SHA1

      1783e0788fb2a103d71bc9a05ae2fb85c0d70ee9

    • SHA256

      b1b8ad9032b829e2ac3956ce8f302745802cd2d5ae686c700796e2f2ee81b0f7

    • SHA512

      79c4bf39ae1761414b5f37186c2483a4b8755168824d6e783ea9cab26e7c0118f391b6417c622b65ea3ac3924ae745a6abe4838ca1d87671898ad90ae9a18e58

    • SSDEEP

      49152:Cv+lL26AaNeWgPhlmVqvMQ7XSK6v9y/ZBxOPoGdexMTHHB72eh2NT:CvuL26AaNeWgPhlmVqkQ7XSK64/M2

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks