General

  • Target

    Client-built.exe

  • Size

    348KB

  • Sample

    241216-yezmqsymh1

  • MD5

    1b3caea7f3034ec10eecb722a369c652

  • SHA1

    7bf564e5695c879a823068f19b9c5b25d9c3ed53

  • SHA256

    4ca77febd10fb2e3a0ebd202ffd7efb798912d80c76ebdbc76b68b7b59de115a

  • SHA512

    96d59d9a0bca26121ea0643840a3c568fb5ee5fa21cb4e6278cb229ad9b34c9445c22f406daa3c8c11f84f30995064612a1e24eff3211878eae2fd5c5b81a646

  • SSDEEP

    6144:9MNHXf500ME3EaGbbJ23fR34sZh85r+UxRXNO:ud50LNqR3nh8l+UxRXNO

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Meedo

C2

2.tcp.eu.ngrok.io:8080

2.tcp.eu.ngrok.io:13677

Mutex

QSR_MUTEX_F7GTMqsQBGCZlMGQ5p

Attributes
  • encryption_key

    U2vyTIQERz1Bf5527M3K

  • install_name

    win.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Runtime

  • subdirectory

    Subdir

Targets

    • Target

      Client-built.exe

    • Size

      348KB

    • MD5

      1b3caea7f3034ec10eecb722a369c652

    • SHA1

      7bf564e5695c879a823068f19b9c5b25d9c3ed53

    • SHA256

      4ca77febd10fb2e3a0ebd202ffd7efb798912d80c76ebdbc76b68b7b59de115a

    • SHA512

      96d59d9a0bca26121ea0643840a3c568fb5ee5fa21cb4e6278cb229ad9b34c9445c22f406daa3c8c11f84f30995064612a1e24eff3211878eae2fd5c5b81a646

    • SSDEEP

      6144:9MNHXf500ME3EaGbbJ23fR34sZh85r+UxRXNO:ud50LNqR3nh8l+UxRXNO

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks