General

  • Target

    5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6

  • Size

    3.7MB

  • Sample

    241203-l213vswkfp

  • MD5

    cd765738ca380479232b3742bec4681a

  • SHA1

    72183452d01eabefa4a1dc4e4702df04aca6da4e

  • SHA256

    5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6

  • SHA512

    047266f5d2f30661857c501c705a18128082551498351eee28600bfb051e276535e00abfa0dd30acbcdb01e9238958f06ca934abb094ee03666cae51475ed6f5

  • SSDEEP

    49152:sBe/wR+kPCndafDZ7MTpxKQ4vWcucxZIp6/Y6HhxVetUw5WxGea2rkoVAAVsK5Iw:/namVxrcxys/XhxsuwEUeFzyRM

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

CODE

C2

twart.myfirewall.org:9792

rency.ydns.eu:5287

wqo9.firewall-gateway.de:8841

Mutex

02351e291-5d041-4fa37-932c7-869aeiQec514992

Attributes
  • encryption_key

    3145298725BA5E0DD56E87FFE3F8898EA81E6EDA

  • install_name

    workbook.exe

  • log_directory

    Logs

  • reconnect_delay

    6000

  • startup_key

    workbook

  • subdirectory

    SubDir

Targets

    • Target

      5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6

    • Size

      3.7MB

    • MD5

      cd765738ca380479232b3742bec4681a

    • SHA1

      72183452d01eabefa4a1dc4e4702df04aca6da4e

    • SHA256

      5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6

    • SHA512

      047266f5d2f30661857c501c705a18128082551498351eee28600bfb051e276535e00abfa0dd30acbcdb01e9238958f06ca934abb094ee03666cae51475ed6f5

    • SSDEEP

      49152:sBe/wR+kPCndafDZ7MTpxKQ4vWcucxZIp6/Y6HhxVetUw5WxGea2rkoVAAVsK5Iw:/namVxrcxys/XhxsuwEUeFzyRM

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks