General

  • Target

    b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe

  • Size

    3.1MB

  • Sample

    241217-e1q3ya1phn

  • MD5

    f4da021b8bc9d8ef1ff9ce30b0ab3b79

  • SHA1

    998a833c28617bf3e215fe7a8c3552972da36851

  • SHA256

    b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545

  • SHA512

    77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c

  • SSDEEP

    98304:ZvlL26AaNeWgPhlmVqkQ7XSKVcRJ6p3I:Nj4SN43I

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Nigga

C2

yzs-42879.portmap.host:42879

Mutex

57d72303-b5e9-46aa-8cc4-9690809c1a9e

Attributes
  • encryption_key

    F1EBDB1862062F9265C0B5AC4D02C76D026534D0

  • install_name

    RuntimeBroker.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    Temp

Targets

    • Target

      b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe

    • Size

      3.1MB

    • MD5

      f4da021b8bc9d8ef1ff9ce30b0ab3b79

    • SHA1

      998a833c28617bf3e215fe7a8c3552972da36851

    • SHA256

      b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545

    • SHA512

      77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c

    • SSDEEP

      98304:ZvlL26AaNeWgPhlmVqkQ7XSKVcRJ6p3I:Nj4SN43I

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks