General

  • Target

    RobloxCrasher.exe

  • Size

    3.2MB

  • Sample

    241116-mdz2bstmh1

  • MD5

    ebda07e93515d2a92cf0f34bee690b43

  • SHA1

    56b44e24857999dc97a26b7b8d9044b1235fd167

  • SHA256

    aebe8489a53693d4466be30dfd930c2cbc79a21687b228a8f304815906de02d6

  • SHA512

    f3c01b7cae001b3630aa4959844724368e8f7244630a4867758d310c9b5f60a17b471ef84df356539ce5e4eb6d6ac9577b1e4a0c71e24826a8da0a84ff2ed54e

  • SSDEEP

    98304:isdJl5i8RDSoqm7GvvZX7BnmrcdMWu2tVKsL:3Jl5jyGyVmrCMWjtMsL

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Roblox

C2

bigchancepenis.bounceme.net:9000

Mutex

e293c679-127e-4679-9d5e-f004c0e21f2b

Attributes
  • encryption_key

    693B804C4C15D633359B0059C08E017241D484D5

  • install_name

    Roblox.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows34

  • subdirectory

    SubDir

Targets

    • Target

      RobloxCrasher.exe

    • Size

      3.2MB

    • MD5

      ebda07e93515d2a92cf0f34bee690b43

    • SHA1

      56b44e24857999dc97a26b7b8d9044b1235fd167

    • SHA256

      aebe8489a53693d4466be30dfd930c2cbc79a21687b228a8f304815906de02d6

    • SHA512

      f3c01b7cae001b3630aa4959844724368e8f7244630a4867758d310c9b5f60a17b471ef84df356539ce5e4eb6d6ac9577b1e4a0c71e24826a8da0a84ff2ed54e

    • SSDEEP

      98304:isdJl5i8RDSoqm7GvvZX7BnmrcdMWu2tVKsL:3Jl5jyGyVmrCMWjtMsL

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

MITRE ATT&CK Enterprise v15

Tasks