General

  • Target

    fud2.exe

  • Size

    3.2MB

  • Sample

    241217-hamvdasrcz

  • MD5

    3dc1d39a2ebeb5dc85da7e8c3d6e3aaa

  • SHA1

    4cfcddc23cc0949ca620474edef6c82a2c2280d3

  • SHA256

    5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4

  • SHA512

    77dfdb50b408c3e88a18b0aae3eac9e2001f6041b406aef2d298e35cf49b51d921afeb5526930a44dc4e12294cd31c3f9fed74871c8bb0e9989e6a912131a65a

  • SSDEEP

    49152:tkvXI22SsaNYfdPBldt698dBcjHIGRJ6ybR3LoGdJTHHB72eh2NTC:OvY22SsaNYfdPBldt6+dBcjHIGRJ6sZ

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

hacked-fud1

C2

192.168.100.10:1412

Mutex

a685d3ed-d174-40b7-9655-c2bfab3ed130

Attributes
  • encryption_key

    2A5F3DAC380078962166175BD172DE2D4AA07E26

  • install_name

    fud2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Microsoft Service

  • subdirectory

    SubDir

Targets

    • Target

      fud2.exe

    • Size

      3.2MB

    • MD5

      3dc1d39a2ebeb5dc85da7e8c3d6e3aaa

    • SHA1

      4cfcddc23cc0949ca620474edef6c82a2c2280d3

    • SHA256

      5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4

    • SHA512

      77dfdb50b408c3e88a18b0aae3eac9e2001f6041b406aef2d298e35cf49b51d921afeb5526930a44dc4e12294cd31c3f9fed74871c8bb0e9989e6a912131a65a

    • SSDEEP

      49152:tkvXI22SsaNYfdPBldt698dBcjHIGRJ6ybR3LoGdJTHHB72eh2NTC:OvY22SsaNYfdPBldt6+dBcjHIGRJ6sZ

    • Modifies visiblity of hidden/system files in Explorer

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks