General

  • Target

    Unborn Loader.rar

  • Size

    2.4MB

  • Sample

    241214-v22h3a1laj

  • MD5

    30e58249ce4ad8eedab5ba96cc249bde

  • SHA1

    51b082f305f74b1ff70c7a19312cccd1fbe34859

  • SHA256

    6f0508001795fa33102003e9fba80a30b91a68a2f2cc93897bf8810b3952cbf1

  • SHA512

    ce3e87d1cf44a657e6e11212dfe0bc8597e23117ac4ef7dcdd782464fbcfd6464e9892fecbbb4715c4c2f945f30ca92212faf27ed7abee783829bf9138189216

  • SSDEEP

    49152:V4SvGjF/Ma6VaXHjKf/rd3mterJl997XilaZLEmkwXCYJTU2pXsSWGl31iaV:VOF/MijWoI9ljzSlV+TUcnl

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

fontdrvhost

C2

vaxlet.duckdns.org:1852

Mutex

afa818a3-1965-4b44-bd1c-c136b77dd6c2

Attributes
  • encryption_key

    72F1D1477892633326199B903D992BF6D42C80FC

  • install_name

    fontdrvhost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    fontdrvhost

  • subdirectory

    Driver

Targets

    • Target

      Unborn Loader.rar

    • Size

      2.4MB

    • MD5

      30e58249ce4ad8eedab5ba96cc249bde

    • SHA1

      51b082f305f74b1ff70c7a19312cccd1fbe34859

    • SHA256

      6f0508001795fa33102003e9fba80a30b91a68a2f2cc93897bf8810b3952cbf1

    • SHA512

      ce3e87d1cf44a657e6e11212dfe0bc8597e23117ac4ef7dcdd782464fbcfd6464e9892fecbbb4715c4c2f945f30ca92212faf27ed7abee783829bf9138189216

    • SSDEEP

      49152:V4SvGjF/Ma6VaXHjKf/rd3mterJl997XilaZLEmkwXCYJTU2pXsSWGl31iaV:VOF/MijWoI9ljzSlV+TUcnl

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      Unborn Loader.exe

    • Size

      932KB

    • MD5

      b09fc8269f897d7f94bd58ef20f42545

    • SHA1

      b10fb06fb53767676a83ea0f65678b4fbd90cd1b

    • SHA256

      6ad82006952f9fc912bdd3a767492098cc2ab7ffa7f2cdbc7114bd77a50f4c4c

    • SHA512

      c88db52dfbe8afcc0d79a77cb1cf71e03f4b1a432782c93ea21259bc62bea2018c5372da110eb9c1eae853fafcb714911b6d90b634565012236ce810c1cb308a

    • SSDEEP

      24576:zI9Y4Mb7AL/JCd1Cnw7u36GMiyr745v/gY:zI9RMgL/senNJWr745vP

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Target

      d3dx9_39.dll

    • Size

      4.8MB

    • MD5

      7505c133fc704b40cfddfd38777baac3

    • SHA1

      34fcfe7be4a9ea08c63b6f5392ac8cd10a05827a

    • SHA256

      aecbe2965f7c9aa60257670114c06b21a3de914b03e20ff569c5cb44ec4807fd

    • SHA512

      8ca2d8be9dd148587906b154ec9d3ca0d1d7cd781c2bf307011407303fce981acce63d28329083a6a731442743732789aaea0a7bbd4e2d2a57d4f3e284f7b471

    • SSDEEP

      49152:RPCvau58R2Rr3DnyPD81PDWdlFiyPbznxZRjhLcvRVFQHgIkNn0QwdyQKZwGUfcA:RapzyPFdBv6XFQH4Nn0FdMq0nA

    Score
    1/10
    • Target

      msvcp140.dll

    • Size

      576KB

    • MD5

      7b92a6cb5d2cad407c457ab12d2b211d

    • SHA1

      e04020b3448fc6084fa31b7f791f22ff15e31328

    • SHA256

      3c6a772319fff3ee56d4cedbe332bb5c0c2f394714cf473c6cdf933754114784

    • SHA512

      b28740c1aca4f0f60a9e4a9ab5a0561af774d977ab6d42a7eea70c9e560c77c50be5d9d869f05d0435e2923f4f600219335d22425807ab23cbbcda75442c4b42

    • SSDEEP

      12288:RI88L4Wu4+oJ+xc39ax5Ms4ETs3rxSvYcRvbQEKZm+jWodEEVhQ:RD89rxZCQEKZm+jWodEEPQ

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks