General

  • Target

    00f80131b00550bd8cbc45ea7f064b75c4b19fb2df93200f359593c3f5fc54f4.exe

  • Size

    8.2MB

  • Sample

    241217-cfywyawrgw

  • MD5

    917c0479804b76ae493bad95bf0c7710

  • SHA1

    7441c9042a3db3642416bd1fbee680e41fed6000

  • SHA256

    00f80131b00550bd8cbc45ea7f064b75c4b19fb2df93200f359593c3f5fc54f4

  • SHA512

    93ca248c62caa51a81a5156674ce4eceddc7c2bfd9331a8d522528d80b0d42042957e152e63021f9c3c6696ec76cbaec2ec5bc2820f5c0caf4976040e99d3aa8

  • SSDEEP

    196608:szdoXA+DYyx8t5KwwFdR3TNpiCHK9MIuBRR23pyHVvGAE+:szUDh8t55wFd1NckKKH+3pyHU

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v2.2.1 | SeroXen

C2

VIPEEK1990-25013.portmap.host:25013

Mutex

7018d402-47e5-4cb4-a786-2ea02c04bce5

Attributes
  • encryption_key

    B25AE15F5F63DA9A5796B857943A95D816F98892

  • install_name

    .exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    3000

Targets

    • Target

      00f80131b00550bd8cbc45ea7f064b75c4b19fb2df93200f359593c3f5fc54f4.exe

    • Size

      8.2MB

    • MD5

      917c0479804b76ae493bad95bf0c7710

    • SHA1

      7441c9042a3db3642416bd1fbee680e41fed6000

    • SHA256

      00f80131b00550bd8cbc45ea7f064b75c4b19fb2df93200f359593c3f5fc54f4

    • SHA512

      93ca248c62caa51a81a5156674ce4eceddc7c2bfd9331a8d522528d80b0d42042957e152e63021f9c3c6696ec76cbaec2ec5bc2820f5c0caf4976040e99d3aa8

    • SSDEEP

      196608:szdoXA+DYyx8t5KwwFdR3TNpiCHK9MIuBRR23pyHVvGAE+:szUDh8t55wFd1NckKKH+3pyHU

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks