General

  • Target

    0d4777cd136637a6a622af6891450a910bfb908743c1586b987ee75f0d923c9f

  • Size

    877KB

  • Sample

    241122-ydvmdsxlew

  • MD5

    af2cca9e175c1e73fdc927423bf34063

  • SHA1

    9fb1313901e0ac98a4c5aa3da0c0223b4bfca1f2

  • SHA256

    0d4777cd136637a6a622af6891450a910bfb908743c1586b987ee75f0d923c9f

  • SHA512

    8d57d681ad9bfb772fdf74b05a5012e0cac168db3265864de1b9898ac0126b8ac969a273060275309ab6e99087acfc7ea48a2c2b8d2bc70989ef546d98ab9b9f

  • SSDEEP

    12288:7FY7UCaIsX+aC+fwRDV4gF03IFdfQeArznBKau8i1ozAq5uZCTN2E/Ep6A4W/89m:7FKraaaNwC3ktQeAwVGB5uaZ/of3

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

AOY

C2

87.120.120.27:61540

127.0.0.1:61540

87.121.86.205:61541

Mutex

QSR_MUTEX_NOCv4TURf46HbVbxyc

Attributes
  • encryption_key

    fVsndNhImy9VosyZSQbQ

  • install_name

    updates.exe

  • log_directory

    Logs

  • reconnect_delay

    4000

  • startup_key

    Windows Update

  • subdirectory

    Windows

Targets

    • Target

      0d4777cd136637a6a622af6891450a910bfb908743c1586b987ee75f0d923c9f

    • Size

      877KB

    • MD5

      af2cca9e175c1e73fdc927423bf34063

    • SHA1

      9fb1313901e0ac98a4c5aa3da0c0223b4bfca1f2

    • SHA256

      0d4777cd136637a6a622af6891450a910bfb908743c1586b987ee75f0d923c9f

    • SHA512

      8d57d681ad9bfb772fdf74b05a5012e0cac168db3265864de1b9898ac0126b8ac969a273060275309ab6e99087acfc7ea48a2c2b8d2bc70989ef546d98ab9b9f

    • SSDEEP

      12288:7FY7UCaIsX+aC+fwRDV4gF03IFdfQeArznBKau8i1ozAq5uZCTN2E/Ep6A4W/89m:7FKraaaNwC3ktQeAwVGB5uaZ/of3

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks