General
-
Target
sad.exe
-
Size
10.6MB
-
Sample
241116-ahq8rsvhpf
-
MD5
fb6a511a2a009c7ff4cb9724b9b9678b
-
SHA1
362840e51d7750cfeb3656130c518ad02abb21f5
-
SHA256
72f6b9d06005676a0f3959de9f82ff58db8c15d47bd71f7ccbfd30e4badd83e3
-
SHA512
8f48e436b59723c0c5ced00400489240a82be81cc7fc539ce438649ae3a5f49f1f31fbcc07d76f9e747c14f0bba1ee31a542161923784e3ffcde86539597b944
-
SSDEEP
196608:IXNA3zIJPvEzKIjnIlzyNwnpfv5vORNgs1FQDwtxI1/56nhg08R0Yqqc4bZ54x:ICIJrIDIRyNK5mRiv+xG6z8Tqqfr
Malware Config
Extracted
quasar
1.4.1
dumby bo got ratted LOLOL
192.168.1.4:4782
6f229673-e6d0-41b5-a1e4-1cbc29eeffd8
-
encryption_key
84EEFDB37698E582E7732B4568EC490426D1D6DF
-
install_name
d1aler.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Java updater
Targets
-
-
Target
sad.exe
-
Size
10.6MB
-
MD5
fb6a511a2a009c7ff4cb9724b9b9678b
-
SHA1
362840e51d7750cfeb3656130c518ad02abb21f5
-
SHA256
72f6b9d06005676a0f3959de9f82ff58db8c15d47bd71f7ccbfd30e4badd83e3
-
SHA512
8f48e436b59723c0c5ced00400489240a82be81cc7fc539ce438649ae3a5f49f1f31fbcc07d76f9e747c14f0bba1ee31a542161923784e3ffcde86539597b944
-
SSDEEP
196608:IXNA3zIJPvEzKIjnIlzyNwnpfv5vORNgs1FQDwtxI1/56nhg08R0Yqqc4bZ54x:ICIJrIDIRyNK5mRiv+xG6z8Tqqfr
Score10/10-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3