General
-
Target
el liam bailando xd.mp4
-
Size
3.1MB
-
Sample
241122-aqhxcswqcn
-
MD5
923b5eff3b0b3c29308cb73a568ebddf
-
SHA1
4cc065f11403aee930f0d2e4ff996454c607dc27
-
SHA256
4eb15cc2049a0945258b21fab368829cf9d921d9540127b954f0d0ba6034f335
-
SHA512
3b4d63b963b0bc2f15527db0bcff9268dba6bc5efb6842eec391b040aeca5a1dbe1bbac840930070855913542c999778e65e5b3a6171f992deec2a83945248ea
-
SSDEEP
98304:6aps3ZS26/GvzUYWcOn5xh24cf10YLjnM8Oz4Y:6ucZS281jcOv4HL7Oz3
Malware Config
Extracted
quasar
-
reconnect_delay
5000
Extracted
quasar
1.3.0.0
Office04
10.127.1.137:4782
QSR_MUTEX_hbxMQFPRGA78sZ0gkM
-
encryption_key
I6Y1GM1uLHisr8VCR7Cf
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
el liam bailando xd.mp4
-
Size
3.1MB
-
MD5
923b5eff3b0b3c29308cb73a568ebddf
-
SHA1
4cc065f11403aee930f0d2e4ff996454c607dc27
-
SHA256
4eb15cc2049a0945258b21fab368829cf9d921d9540127b954f0d0ba6034f335
-
SHA512
3b4d63b963b0bc2f15527db0bcff9268dba6bc5efb6842eec391b040aeca5a1dbe1bbac840930070855913542c999778e65e5b3a6171f992deec2a83945248ea
-
SSDEEP
98304:6aps3ZS26/GvzUYWcOn5xh24cf10YLjnM8Oz4Y:6ucZS281jcOv4HL7Oz3
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Executes dropped EXE
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1