General

  • Target

    Universal.exe

  • Size

    9.0MB

  • Sample

    241207-y89pssskay

  • MD5

    b16206b1cf5cf25c38414b3f1b369539

  • SHA1

    5382e726725987acf9fc44b722b88a7c244696ae

  • SHA256

    7908bdb7ba08f8c9b9aafbf113b51dd379ae4d43a89e4b8bc3801159ed10d71f

  • SHA512

    5c990213c23f9087a1cd8caa3d78d938901d50a7a322c3fb5969386a5a3f4e27f9c283eb68f46bbed7fe537dc349d0db9ca62f313317c225b1ee5ab90db8a931

  • SSDEEP

    196608:HllOb99rpYB/HGe2s2em9572gugYlNVtrIb8bVKj8xeF:HutYB/mU2euqn28Yj8x+

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Universal

C2

gfwrfwerfewfeq-54402.portmap.host:54402

Mutex

d4a39711-3adb-4df8-aadd-f34e6b8e20aa

Attributes
  • encryption_key

    2C237F672DAC6A3056F8BA2A735CF3147385D6C7

  • install_name

    Aimmy.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Clean Boot

  • subdirectory

    WindowsSecurityInfo

Targets

    • Target

      Universal.exe

    • Size

      9.0MB

    • MD5

      b16206b1cf5cf25c38414b3f1b369539

    • SHA1

      5382e726725987acf9fc44b722b88a7c244696ae

    • SHA256

      7908bdb7ba08f8c9b9aafbf113b51dd379ae4d43a89e4b8bc3801159ed10d71f

    • SHA512

      5c990213c23f9087a1cd8caa3d78d938901d50a7a322c3fb5969386a5a3f4e27f9c283eb68f46bbed7fe537dc349d0db9ca62f313317c225b1ee5ab90db8a931

    • SSDEEP

      196608:HllOb99rpYB/HGe2s2em9572gugYlNVtrIb8bVKj8xeF:HutYB/mU2euqn28Yj8x+

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks