General

  • Target

    fun.exe

  • Size

    3.1MB

  • Sample

    241116-hbs3sa1gqe

  • MD5

    08bf40bfcb734f6fbb2b1b8a15081a75

  • SHA1

    f20375b288aa16fde380543c388fab32e3991905

  • SHA256

    085ebdee80d776053153a77ba8396b84a134b2ccb2c6774b06d7d59805d39595

  • SHA512

    ef3977ba5ffbb49de9e7016cca0fb3d0a69dc830363e77bbadf5e5665288826efe87bc3759475c23fbae0bf03b6863b73cbed5961df049ecdf3b7d794e49a8ef

  • SSDEEP

    49152:rvyI22SsaNYfdPBldt698dBcjH/wtxNESE8k/ivLoGdbj6uTHHB72eh2NT:rvf22SsaNYfdPBldt6+dBcjH/6xnz

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

azxq0ap.localto.net:9224

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes
  • encryption_key

    AEA258EF65BF1786F0F767C0BE2497ECC304C46F

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      fun.exe

    • Size

      3.1MB

    • MD5

      08bf40bfcb734f6fbb2b1b8a15081a75

    • SHA1

      f20375b288aa16fde380543c388fab32e3991905

    • SHA256

      085ebdee80d776053153a77ba8396b84a134b2ccb2c6774b06d7d59805d39595

    • SHA512

      ef3977ba5ffbb49de9e7016cca0fb3d0a69dc830363e77bbadf5e5665288826efe87bc3759475c23fbae0bf03b6863b73cbed5961df049ecdf3b7d794e49a8ef

    • SSDEEP

      49152:rvyI22SsaNYfdPBldt698dBcjH/wtxNESE8k/ivLoGdbj6uTHHB72eh2NT:rvf22SsaNYfdPBldt6+dBcjH/6xnz

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks