Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ghew.exe

  • Size

    3.1MB

  • Sample

    241114-talg4a1dnc

  • MD5

    5339f895bb32d0aeb85a66d679eee3e3

  • SHA1

    188de7231d2e6884fcc6cff53ec0146c10c01921

  • SHA256

    74afe07e1c9db57aac77083c0ae3fe619897b17f5e3b4cbee0ef5a1ed96926a5

  • SHA512

    df81c791789ed699f2e852b794c4a227738633b00ae8c5c02db0793be770897a67230c82e15129ea61786a971cb213f5392367efb59ac0c902ec9a4a6448633e

  • SSDEEP

    49152:yvBt62XlaSFNWPjljiFa2RoUYI6rkweJfoGddTxTHHB72eh2NT:yvr62XlaSFNWPjljiFXRoUYI6rkweBN

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

4.tcp.us-cal-1.ngrok.io:15387

Mutex

6d7137f1-888a-4306-b936-24b0c1cd3c6d

Attributes
  • encryption_key

    9C726C32E22321BF6CA2A3F704FAB2189268B504

  • install_name

    LogitechDRV.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    LogitechDRV

  • subdirectory

    SubDir

Targets

    • Target

      ghew.exe

    • Size

      3.1MB

    • MD5

      5339f895bb32d0aeb85a66d679eee3e3

    • SHA1

      188de7231d2e6884fcc6cff53ec0146c10c01921

    • SHA256

      74afe07e1c9db57aac77083c0ae3fe619897b17f5e3b4cbee0ef5a1ed96926a5

    • SHA512

      df81c791789ed699f2e852b794c4a227738633b00ae8c5c02db0793be770897a67230c82e15129ea61786a971cb213f5392367efb59ac0c902ec9a4a6448633e

    • SSDEEP

      49152:yvBt62XlaSFNWPjljiFa2RoUYI6rkweJfoGddTxTHHB72eh2NT:yvr62XlaSFNWPjljiFXRoUYI6rkweBN

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks