General

  • Target

    06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe

  • Size

    16.7MB

  • Sample

    241123-hnbn9szrd1

  • MD5

    65e77040ed7d9dbbbbb65be5f8528b61

  • SHA1

    22e5e40a62ebda8aae9f658d617888114ccc712f

  • SHA256

    06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c

  • SHA512

    b185ea47e46279938566febd61fe120d4255ae2ade08bf213edf477096bbafb244705208dfec28dabf1e19db85e85dea24880fdc8efd10b7fb05cd709c0b7236

  • SSDEEP

    393216:urN50n4bwQq7t3J086sIB6ehAAJ2u653xVu7vHhqBa4Cs0:uka9ZPBxKJpHCpqBa4Cx

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Chrome

C2

live.nodenet.ml:8863

Mutex

754ce6d6-f75b-4c6f-964c-3996e749369e

Attributes
  • encryption_key

    8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D

  • install_name

    chrome.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    System

  • subdirectory

    chrome

Targets

    • Target

      06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe

    • Size

      16.7MB

    • MD5

      65e77040ed7d9dbbbbb65be5f8528b61

    • SHA1

      22e5e40a62ebda8aae9f658d617888114ccc712f

    • SHA256

      06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c

    • SHA512

      b185ea47e46279938566febd61fe120d4255ae2ade08bf213edf477096bbafb244705208dfec28dabf1e19db85e85dea24880fdc8efd10b7fb05cd709c0b7236

    • SSDEEP

      393216:urN50n4bwQq7t3J086sIB6ehAAJ2u653xVu7vHhqBa4Cs0:uka9ZPBxKJpHCpqBa4Cx

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks