General

  • Target

    ed340526b36db90f266db2a5f1c48c109ecc51ea6bdb9e907240c3da858b74e4

  • Size

    3.1MB

  • Sample

    241216-swxa2stnby

  • MD5

    ff7d780fa5f307da8d52650d52c9f0f7

  • SHA1

    3d687e6aa07995b8415a74cb5700b1abdb48ae3b

  • SHA256

    ed340526b36db90f266db2a5f1c48c109ecc51ea6bdb9e907240c3da858b74e4

  • SHA512

    4ba9b40ae829bec98a7bb156cb574d820b4aaaf4958d0543c9946afa2f5cbfc6989e6bed9ef507f16d9d540e7e85aab24be8d7a87689242610e586f270271e8f

  • SSDEEP

    49152:Svht62XlaSFNWPjljiFa2RoUYIz5aqVkooGdoxTHHB72eh2NT:SvL62XlaSFNWPjljiFXRoUYIz5aqVN4

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

0.tcp.us-cal-1.ngrok.io:15579

Mutex

11bbf22e-826e-486b-b024-adbd86228a9e

Attributes
  • encryption_key

    7A589EDBC6A581E125BF830EF0D05FC74BB75E30

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    ctfmon

  • subdirectory

    SubDir

Targets

    • Target

      ed340526b36db90f266db2a5f1c48c109ecc51ea6bdb9e907240c3da858b74e4

    • Size

      3.1MB

    • MD5

      ff7d780fa5f307da8d52650d52c9f0f7

    • SHA1

      3d687e6aa07995b8415a74cb5700b1abdb48ae3b

    • SHA256

      ed340526b36db90f266db2a5f1c48c109ecc51ea6bdb9e907240c3da858b74e4

    • SHA512

      4ba9b40ae829bec98a7bb156cb574d820b4aaaf4958d0543c9946afa2f5cbfc6989e6bed9ef507f16d9d540e7e85aab24be8d7a87689242610e586f270271e8f

    • SSDEEP

      49152:Svht62XlaSFNWPjljiFa2RoUYIz5aqVkooGdoxTHHB72eh2NT:SvL62XlaSFNWPjljiFXRoUYIz5aqVN4

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks