General

  • Target

    SMTPChecker.exe

  • Size

    23.1MB

  • Sample

    241123-t1htwsxqbs

  • MD5

    b2d4138a7cbb8b3e02d9f61c76f31f18

  • SHA1

    629dfd6d138fe6a9ff0492a63ef1ce0bd5356c6c

  • SHA256

    eabb7c5d04a447b6af835c375f9e5535fa1250f5ae976686048bf4bc9766612f

  • SHA512

    f9cc089193c91f603f0ed6f47f84fa7483344268a88b2bfdaa8914e5e9f07af84ab206bd621272718eaca8a3babdceeaf58cd25197b24adfc0cede6f3933c988

  • SSDEEP

    393216:ZSzcigXdH1z88oOJOVyRzVOrRS1/Q1NeJ42Mjck4GREfMfoPwY74HpC1P5aw:mVgc8hJO4wK/EdcsEfQobeM6

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

45.200.149.95:6669

Mutex

6HcAGCOypVIi6hl6rR

Attributes
  • encryption_key

    3Fmq36RtzQkpmjAWxAFM

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    DISC

  • subdirectory

    SubDir

Targets

    • Target

      SMTPChecker.exe

    • Size

      23.1MB

    • MD5

      b2d4138a7cbb8b3e02d9f61c76f31f18

    • SHA1

      629dfd6d138fe6a9ff0492a63ef1ce0bd5356c6c

    • SHA256

      eabb7c5d04a447b6af835c375f9e5535fa1250f5ae976686048bf4bc9766612f

    • SHA512

      f9cc089193c91f603f0ed6f47f84fa7483344268a88b2bfdaa8914e5e9f07af84ab206bd621272718eaca8a3babdceeaf58cd25197b24adfc0cede6f3933c988

    • SSDEEP

      393216:ZSzcigXdH1z88oOJOVyRzVOrRS1/Q1NeJ42Mjck4GREfMfoPwY74HpC1P5aw:mVgc8hJO4wK/EdcsEfQobeM6

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks