General

  • Target

    cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f

  • Size

    3.1MB

  • Sample

    241217-tbq4zasmhx

  • MD5

    dd7a806c734df62ecf4802977fa0b3e9

  • SHA1

    42eae42e0fcfe9d9a54e493a670adde5241377da

  • SHA256

    cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f

  • SHA512

    0f8e2e565b40baabdde4018db57e06aee8e8dfeb4b1491e8e02e56a20e6b55bc1130ed74a702c35e043d4886af969af5d8ca26f5caeb0e96694982ecfbc80bbf

  • SSDEEP

    49152:yvkt62XlaSFNWPjljiFa2RoUYIO8RJ6IbR3LoGdaTHHB72eh2NT:yv462XlaSFNWPjljiFXRoUYIO8RJ6i

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Aryszx

C2

Apichat:4782

Mutex

181f4a12-4cad-46a9-9896-1001033c5b69

Attributes
  • encryption_key

    F4F359BEF442D9221F73F7D64267E0E300CC68CE

  • install_name

    Runtime Broker.exe

  • log_directory

    Logs

  • reconnect_delay

    1

  • startup_key

    Runtime Broker

Targets

    • Target

      cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f

    • Size

      3.1MB

    • MD5

      dd7a806c734df62ecf4802977fa0b3e9

    • SHA1

      42eae42e0fcfe9d9a54e493a670adde5241377da

    • SHA256

      cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f

    • SHA512

      0f8e2e565b40baabdde4018db57e06aee8e8dfeb4b1491e8e02e56a20e6b55bc1130ed74a702c35e043d4886af969af5d8ca26f5caeb0e96694982ecfbc80bbf

    • SSDEEP

      49152:yvkt62XlaSFNWPjljiFa2RoUYIO8RJ6IbR3LoGdaTHHB72eh2NT:yv462XlaSFNWPjljiFXRoUYIO8RJ6i

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks