General

  • Target

    b8494a5132217091e54397571abe6d1ee07b4e136105b834b9dbf3c4edc8ee99N.exe

  • Size

    5KB

  • Sample

    241216-axy7xsvlgv

  • MD5

    dbfaaadeb507446fe65aa09ffc3570d0

  • SHA1

    84ee588f8db2217b56e3c20a13ecf161318c56ca

  • SHA256

    b8494a5132217091e54397571abe6d1ee07b4e136105b834b9dbf3c4edc8ee99

  • SHA512

    fd6d89450b312b26fda6070a5b14dedc801b7299c70f8a022a3fa17855650316e0ab0f9e6bb727ad058c8fd8a38e299926e78adadbda966e3312f818c2b1b1c8

  • SSDEEP

    96:AT6gFs60Dctksx+3NqjH+EsUbmPfAFzNt:4kz+ToN6eEsUyK

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

TEAM

C2

win32updates.DUCKDNS.ORG:12

Mutex

QSR_MUTEX_4XlJYd3sYkHLvFZyoo

Attributes
  • encryption_key

    i5XqKfOlwBlh9rS0kdDD

  • install_name

    winrar.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    winrar

  • subdirectory

    winrar

Targets

    • Target

      b8494a5132217091e54397571abe6d1ee07b4e136105b834b9dbf3c4edc8ee99N.exe

    • Size

      5KB

    • MD5

      dbfaaadeb507446fe65aa09ffc3570d0

    • SHA1

      84ee588f8db2217b56e3c20a13ecf161318c56ca

    • SHA256

      b8494a5132217091e54397571abe6d1ee07b4e136105b834b9dbf3c4edc8ee99

    • SHA512

      fd6d89450b312b26fda6070a5b14dedc801b7299c70f8a022a3fa17855650316e0ab0f9e6bb727ad058c8fd8a38e299926e78adadbda966e3312f818c2b1b1c8

    • SSDEEP

      96:AT6gFs60Dctksx+3NqjH+EsUbmPfAFzNt:4kz+ToN6eEsUyK

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks