General

  • Target

    quasar-1.3.rar

  • Size

    5.2MB

  • Sample

    241218-dvyp6asldk

  • MD5

    d5e18c5b64f3b41553e3910a9a3a7700

  • SHA1

    1ba910ee7e0d505a62369b3eae84c17c313e322b

  • SHA256

    dfa03e874601afc2e2b2d3ce8646b6cdce69da7baa751847299ee6e2208d5d7f

  • SHA512

    05915a3ce42ba3691635770e9b46711fc9a28b556156cd9bf5a292b70c8c58807344dca047d242d39dce00a21ec1463e82d88c3a1f1a245097288ed97348d426

  • SSDEEP

    98304:Rh2T1DA6eY+h5jBz6TSyfUHlQg+hcJqRWctXhz5VrCJ2Fht1OvMfP2ozpegpyuwg:Rh2SY+PNz6TSG8QWEXrVr8Qhts0fOoz9

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

YT_RAT

C2

FlawGFX-25466.portmap.io:25466

Mutex

b0e42180-0b07-43a4-8af5-751a530df10c

Attributes
  • encryption_key

    F38AD66AF1B37C4D9D83D6A35EA505EADBD633EE

  • install_name

    UpdateScheduler.exe

  • log_directory

    WinDefender_Logs

  • reconnect_delay

    1500

  • startup_key

    Windows Update Scheduler

  • subdirectory

    WindowsDefender

Targets

    • Target

      EXIT/Exit.bat

    • Size

      309B

    • MD5

      0838b9820c924566aae843284856fd27

    • SHA1

      2631b94e6267cb4a05768d4cbc71604e2e1cb60c

    • SHA256

      076b3dbf0da3f88989af8d57a0d18badb72d061e98fae95c2c0dbd8626575569

    • SHA512

      4df450cbe36bfa64955591f3e147efac6f0da20ca18d509091c2ac3f7e39287761936973cfaf802634f80648362664ccfef39dd104999d8d03b71a64d0b35d8d

    Score
    5/10
    • Enumerates processes with tasklist

    • Target

      QuasarDependencies.exe

    • Size

      120KB

    • MD5

      8e3e60ba2c742636546e314805e31c19

    • SHA1

      cb09acc414a975f1d084183e0b5d2c5b7a77d339

    • SHA256

      4d728486d5ccfc33c5853866da2e1549677181334552c36e0988bc4f64a208b1

    • SHA512

      e4460b9dd06221c40388abaa7b912af67772ef159b5497406ef19399c5f8ad08edf0e9af1504048dc2a6b6cc2928027f657522ebecd412f986580b361eef56ab

    • SSDEEP

      3072:EV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPKn:pt5hBPi0BW69hd1MMdxPe9N9uA069TBg

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      QuasarScript.exe

    • Size

      1.2MB

    • MD5

      90ccd90706e5f5ecf0a4fd6301cf18c8

    • SHA1

      141f82fc5e8ddf7c2b87cf71bf1f506d2a3f06d4

    • SHA256

      44ab3d116f6c6318067f89ccb838b5198b6544469ec27557ca1de3655a6ceb96

    • SHA512

      a8689448e4781013c6ae7a3744673f849d759954b91a341703897d5de6bdd1e08f43f03e8a71bdebd296d3d3b8a0928c39729b7a2044e095f0d4625c1325ca5c

    • SSDEEP

      24576:nTgjYdbiDh2VehFCrs/vtp3+G44Bkl2uXn4zImcKbPJhSvW1o:ncj7hUehgs/D+G44Bkl2y4zgW

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Start.bat

    • Size

      4KB

    • MD5

      d8d7df6fe62f011b7458e01a921b574f

    • SHA1

      7c9b3904e4dbc5814c6580ea7c4586245ef002d8

    • SHA256

      66b039ce03cc3c839a1d9b1a2c56cecef889bfbab67da276bc1298698473cbaf

    • SHA512

      3d2552d25dbe37fe9aa87b469256dc953a4b57cd1ab7a5fa418d25c287f7d2589ec5213f2373e17264e4dbe315212656ecf1afa92ea48ed63491a97d9bb80cae

    • SSDEEP

      96:QQPgAM1IfSmnPlTil5zKYzWe+spCjtR1+:9emSmMpC5R1+

    Score
    3/10
    • Target

      img-recog.dll

    • Size

      4.3MB

    • MD5

      8d12ff5f45d8d892a79bd51ea846f968

    • SHA1

      e83e7824094b996f877927dbb3f3e344afdd7c83

    • SHA256

      abfe37fe6f990572d4eec6a0a6453d0b447e132db2daec956e3dae0bc0130094

    • SHA512

      66081bd629202e985198ce1a59e2ef5fffe7b4f9e258c98c5a744b2a6748ad5115862f01cb4ced08fe85bdbac7ad647cb7d0f32060945f9ba47563ee05cdac04

    • SSDEEP

      49152:VuRRMgmY1/8RyK96tW5RFD1NpC5mzE0b6HkjsBfP8syIwG26YSPDHYRy:EgzzzFD1NpsmzEPDn8syIwG26YQV

    Score
    1/10
    • Target

      self-contain.dll

    • Size

      6.7MB

    • MD5

      6d50542785d7962382c3756cd85ca12c

    • SHA1

      4838742895b3a2450031d6c90768fe9bc9722f33

    • SHA256

      0323c7fbd9a579f339b597b3e5f5b6e02814ae594f7fbc0cdd1786a5a32551ac

    • SHA512

      c3f6ce45a901032052453565b01516a5ae81c41580e8dbdeffc45920692f8e7cdd0c4149c30ca07867be11f3964c6528f78a2de948d5eaa9aa1bab6f2b8cea0e

    • SSDEEP

      49152:HfqBknrDA3ow7dogcjavaD/r5KNPbHubrjxS04Z9zQtHwmLUHG79ZMAnZE2kPflf:/qBzovx+9z6niYZlDwfpzGAE2vF

    Score
    1/10
    • Target

      win/qwindows.dll

    • Size

      1.4MB

    • MD5

      0e6d9926455b73c9e67de1e06f02ca19

    • SHA1

      840c1ce586f8684b7d0e80dd0f1643a2bed4676d

    • SHA256

      bf1a1e1fc37faf7a2f541674b66f0af5b3b70d753444c37cec9259fbf84f36ea

    • SHA512

      45bc1a205b1059975aa36d724ffd2f5849a0f1b11a01d1ae902f9d8a646e9101bbb059effbf83ffd7bf942c54516a7cf52f2ca66a87b8824f14f4a877acc7bcf

    • SSDEEP

      24576:E8uYu9qnyYrrFC5ZNxpQdFfwH73BiJu5Guel76wZbqtFV:hacnyYrrFCbNjKxwH73Bi3x0JLV

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks