General

  • Target

    SlottedAimV2.exe

  • Size

    7.0MB

  • Sample

    241122-epv8hstqet

  • MD5

    decace854bd66eba96581505cbb1f785

  • SHA1

    dfd6824e2db3a2ebb89208f0e5f69e6cc1661da6

  • SHA256

    ebbdf48aafe6c046eca7512a4e764629559392147518fdf2917751a891bfcd5d

  • SHA512

    e55f8afc9a36913aaa24932a94b82100a53accd4f5d8865fc207c9b50c607efa259115d53d5926e0b45c99c0b9dece02996a6b8db5d365af122ccbcdd69823c8

  • SSDEEP

    196608:WrSUf0qyleOjmFQR4MVGFtwLPCnL2hVcL:PVXKtM5LPCGcL

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

FORTNITE

C2

hanekese.ddns.net:1005

Mutex

QSR_MUTEX_uKpgto5HxTzlVefHo9

Attributes
  • encryption_key

    RayN5IunUgPITKqRBUZA

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    mac updater

  • subdirectory

    SubDir

Targets

    • Target

      SlottedAimV2.exe

    • Size

      7.0MB

    • MD5

      decace854bd66eba96581505cbb1f785

    • SHA1

      dfd6824e2db3a2ebb89208f0e5f69e6cc1661da6

    • SHA256

      ebbdf48aafe6c046eca7512a4e764629559392147518fdf2917751a891bfcd5d

    • SHA512

      e55f8afc9a36913aaa24932a94b82100a53accd4f5d8865fc207c9b50c607efa259115d53d5926e0b45c99c0b9dece02996a6b8db5d365af122ccbcdd69823c8

    • SSDEEP

      196608:WrSUf0qyleOjmFQR4MVGFtwLPCnL2hVcL:PVXKtM5LPCGcL

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks