General

  • Target

    Cotizacin99026475526_pdf.com.exe

  • Size

    3.5MB

  • Sample

    241120-qzr5dsxcka

  • MD5

    4a82d22fa6354daece680e49deb2ca2b

  • SHA1

    370b26a5e33c3ae9fc567a22b57eedeb31b285c8

  • SHA256

    a83b6e776af937398296eb1b06b65e9ea8226693b5a8337f35c8b8e42bebb23b

  • SHA512

    1e5870c81ff59dab2afb07ab29d6ac1a5effdc6a869f9e0b23afeee0418d690cf46c05edd8825ba8b4a7b6e9fef3cf002115f41ec6a727a1c866ba94d739ff78

  • SSDEEP

    98304:AKUGRNTsLRvcuO0EcF40Qyiptb28Guy2NprIgq:AjAov9Ou6cipx072Nprb

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

JEKWU

C2

Zyg.ydns.eu:5829

Opy.ydns.eu:5829

Mutex

9c58b2ba-07eb-415a-b48b-21bbb68d32285e

Attributes
  • encryption_key

    C5B555A83D127A9553D4FB1FCECB35CE8E91A447

  • install_name

    outlooks.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Outlooks

  • subdirectory

    WindowsUpdates

Targets

    • Target

      Cotizacin99026475526_pdf.com.exe

    • Size

      3.5MB

    • MD5

      4a82d22fa6354daece680e49deb2ca2b

    • SHA1

      370b26a5e33c3ae9fc567a22b57eedeb31b285c8

    • SHA256

      a83b6e776af937398296eb1b06b65e9ea8226693b5a8337f35c8b8e42bebb23b

    • SHA512

      1e5870c81ff59dab2afb07ab29d6ac1a5effdc6a869f9e0b23afeee0418d690cf46c05edd8825ba8b4a7b6e9fef3cf002115f41ec6a727a1c866ba94d739ff78

    • SSDEEP

      98304:AKUGRNTsLRvcuO0EcF40Qyiptb28Guy2NprIgq:AjAov9Ou6cipx072Nprb

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks