General

  • Target

    5420cbc5d6be7831ccd48e8c7860f7d5c1060db80ed82063258f81c777aca8f1.exe

  • Size

    3.1MB

  • Sample

    241217-c8cjeayqbp

  • MD5

    2fd750229aa6122c30607bb59293a909

  • SHA1

    0feb9d22c13e6c2d19942788a49721db23e48d35

  • SHA256

    5420cbc5d6be7831ccd48e8c7860f7d5c1060db80ed82063258f81c777aca8f1

  • SHA512

    772b515f3efcff2a0fde47c125f9531d50028394a6c758e45e54743298714d118edaa94c6a67034a8a1cdce06f68342acee5b0fc0bc5ca610d28e8b8a6f52dec

  • SSDEEP

    49152:Dvht62XlaSFNWPjljiFa2RoUYImsRJ6abR3LoGdlTHHB72eh2NT:DvL62XlaSFNWPjljiFXRoUYImsRJ60

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

0.tcp.us-cal-1.ngrok.io:11837

Mutex

11bbf22e-826e-486b-b024-adbd86228a9e

Attributes
  • encryption_key

    7A589EDBC6A581E125BF830EF0D05FC74BB75E30

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    ctfmon

  • subdirectory

    SubDir

Targets

    • Target

      5420cbc5d6be7831ccd48e8c7860f7d5c1060db80ed82063258f81c777aca8f1.exe

    • Size

      3.1MB

    • MD5

      2fd750229aa6122c30607bb59293a909

    • SHA1

      0feb9d22c13e6c2d19942788a49721db23e48d35

    • SHA256

      5420cbc5d6be7831ccd48e8c7860f7d5c1060db80ed82063258f81c777aca8f1

    • SHA512

      772b515f3efcff2a0fde47c125f9531d50028394a6c758e45e54743298714d118edaa94c6a67034a8a1cdce06f68342acee5b0fc0bc5ca610d28e8b8a6f52dec

    • SSDEEP

      49152:Dvht62XlaSFNWPjljiFa2RoUYImsRJ6abR3LoGdlTHHB72eh2NT:DvL62XlaSFNWPjljiFXRoUYImsRJ60

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks