General

  • Target

    43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe

  • Size

    3.1MB

  • Sample

    241217-c3m3ysyndr

  • MD5

    f21aa436096afece0b8c39c36bf4a9ab

  • SHA1

    976b74c6a4e59e59a812c06032aae71a0516236a

  • SHA256

    43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10

  • SHA512

    44500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b

  • SSDEEP

    49152:pvrI22SsaNYfdPBldt698dBcjHKO06CBxDPoGd9THHB72eh2NT:pvU22SsaNYfdPBldt6+dBcjH06O

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

WenzCordRat

C2

nickhill112-22345.portmap.host:22345

Mutex

7ee1db41-359a-46b2-bba3-791dc7cde5e1

Attributes
  • encryption_key

    985DB7D034DB1B5D52F524873569DDDE4080F31C

  • install_name

    WenzCord.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update.exe

  • subdirectory

    SubDir

Targets

    • Target

      43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe

    • Size

      3.1MB

    • MD5

      f21aa436096afece0b8c39c36bf4a9ab

    • SHA1

      976b74c6a4e59e59a812c06032aae71a0516236a

    • SHA256

      43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10

    • SHA512

      44500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b

    • SSDEEP

      49152:pvrI22SsaNYfdPBldt698dBcjHKO06CBxDPoGd9THHB72eh2NT:pvU22SsaNYfdPBldt6+dBcjH06O

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks