Overview

overview

10

Static

static

10

185e215375...5e.exe

windows7-x64

10

185e215375...5e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e

  • Size

    358KB

  • Sample

    241205-yrfqdszjey

  • MD5

    19f081815e6c363fc05fb4e4be28325f

  • SHA1

    0ae19dc0f3874f9a80f6bb7c25a2e5b112f452f3

  • SHA256

    185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e

  • SHA512

    1c27a6c2ba52b0973b6aaea7bc66886400ac2bbd1d29f3512e31419efa8991b31f07d30cdb840b7829a9c2dccc944166889f44c16300fd3a65207fb979c415ac

  • SSDEEP

    6144:mbZJrgLF70dPbTIMEnTzTzTF579QlbMUjflrsXc4f4Lnadp0y:O47O/IF79EjfCXcy4jk0y

Score
10/10
quasarh-a-c-k-e-ddiscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

H-A-C-K-E-D

C2

Niverzz-52901.portmap.host:52901

Mutex

QSR_MUTEX_zZK420JELHXuVWHG1x

Attributes
  • encryption_key

    1C3jvNao2B1gXCjfEPbY

  • install_name

    RuntimeBorker.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Runtime Broker

  • subdirectory

    SubDir

Targets

    • Target

      185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e

    • Size

      358KB

    • MD5

      19f081815e6c363fc05fb4e4be28325f

    • SHA1

      0ae19dc0f3874f9a80f6bb7c25a2e5b112f452f3

    • SHA256

      185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e

    • SHA512

      1c27a6c2ba52b0973b6aaea7bc66886400ac2bbd1d29f3512e31419efa8991b31f07d30cdb840b7829a9c2dccc944166889f44c16300fd3a65207fb979c415ac

    • SSDEEP

      6144:mbZJrgLF70dPbTIMEnTzTzTF579QlbMUjflrsXc4f4Lnadp0y:O47O/IF79EjfCXcy4jk0y

    Score
    10/10
    quasarh-a-c-k-e-ddiscoveryspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks