General

  • Target

    FlashingSoftwarePRO.exe

  • Size

    3.4MB

  • Sample

    241209-vnqjmszlcl

  • MD5

    a15342ce7b35b9509dcd51d5f0506f4e

  • SHA1

    f8c85bcd18d7bc43f7668f4e6b32f8f97729f1e9

  • SHA256

    608df6a8df334a640a62a58fadf4a930c6aeb849f22e0aa913c9f7a5e1940c6f

  • SHA512

    0857813ac1954be3cbbf57b435d5e968a0757ebd29ab205d1491e0f0f5738ce445fbda4fff44f66196d97a7e66cb4edc099acec69263dee8b8843f018f35c6e9

  • SSDEEP

    49152:jvqG42pda6D+/PjlLOlg6yQipVhW/HNRsAvJs3oGd/THHB72eh2NT:jvN42pda6D+/PjlLOlZyQipVosx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost

C2

192.168.0.147:4782

101.56.195.62:4782

Matt10n3-57692.portmap.host:57692

Mutex

08e310ae-ecb8-4d83-b87f-95abe874bb4c

Attributes
  • encryption_key

    7AC4D01862AC71A180B8FAEE5694E9D7B88EF662

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    RuntimeBroker

  • subdirectory

    System32

Targets

    • Target

      FlashingSoftwarePRO.exe

    • Size

      3.4MB

    • MD5

      a15342ce7b35b9509dcd51d5f0506f4e

    • SHA1

      f8c85bcd18d7bc43f7668f4e6b32f8f97729f1e9

    • SHA256

      608df6a8df334a640a62a58fadf4a930c6aeb849f22e0aa913c9f7a5e1940c6f

    • SHA512

      0857813ac1954be3cbbf57b435d5e968a0757ebd29ab205d1491e0f0f5738ce445fbda4fff44f66196d97a7e66cb4edc099acec69263dee8b8843f018f35c6e9

    • SSDEEP

      49152:jvqG42pda6D+/PjlLOlg6yQipVhW/HNRsAvJs3oGd/THHB72eh2NT:jvN42pda6D+/PjlLOlZyQipVosx

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks