General

  • Target

    6915bde6ef5408870b2ccb6d578a4a0d753a2f6df3e286a41dbd68aaee70ba82N.exe

  • Size

    480KB

  • Sample

    241126-vlvqkswqhl

  • MD5

    23f57c49b1d789e13d82223fbd441b30

  • SHA1

    2c3aab73b66b19bc34b82f6cfb9e61f789152be5

  • SHA256

    6915bde6ef5408870b2ccb6d578a4a0d753a2f6df3e286a41dbd68aaee70ba82

  • SHA512

    379566c8a8f9290996d3c4ca241923032eb040434e07970b477cc8e5be3365c63a827ea37d4c2fe8ad1c717ae3a4bb1bdb7c37d5e9fb16766202d86fb5231e89

  • SSDEEP

    12288:iww6xvH9M3Ir55+JpWQbe6Ef4D+2u+4gnflehWH:inKP9M4r55+JAQGf4D+2tleAH

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

svchost.exe

C2

23.227.174.82:4782

Mutex

QSR_MUTEX_UtaUPinApnyZsQXsVE

Attributes
  • encryption_key

    hn8U0t79xWv7f03kzG79

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      6915bde6ef5408870b2ccb6d578a4a0d753a2f6df3e286a41dbd68aaee70ba82N.exe

    • Size

      480KB

    • MD5

      23f57c49b1d789e13d82223fbd441b30

    • SHA1

      2c3aab73b66b19bc34b82f6cfb9e61f789152be5

    • SHA256

      6915bde6ef5408870b2ccb6d578a4a0d753a2f6df3e286a41dbd68aaee70ba82

    • SHA512

      379566c8a8f9290996d3c4ca241923032eb040434e07970b477cc8e5be3365c63a827ea37d4c2fe8ad1c717ae3a4bb1bdb7c37d5e9fb16766202d86fb5231e89

    • SSDEEP

      12288:iww6xvH9M3Ir55+JpWQbe6Ef4D+2u+4gnflehWH:inKP9M4r55+JAQGf4D+2tleAH

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks