General

  • Target

    kys.exe

  • Size

    3.2MB

  • Sample

    241218-hh6mfsyqcj

  • MD5

    0515143005b3e92fe50594bc1e30af7b

  • SHA1

    1f565728bcc13bf1e49760c98bd96e15dacb42fc

  • SHA256

    676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53

  • SHA512

    e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c

  • SSDEEP

    49152:tevXI22SsaNYfdPBldt698dBcjH3c0TbRSLoGd7/THHB72eh2NTA:UvY22SsaNYfdPBldt6+dBcjH3c0SZ

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

victim-hacked

C2

192.168.100.2:4444

Mutex

16229cd1-6d24-490c-9eb9-35319229cc03

Attributes
  • encryption_key

    6B74F0C858B7E90573D4E97997F2A082B9781250

  • install_name

    victim.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Microsoft Service

  • subdirectory

    SubDir

Targets

    • Target

      kys.exe

    • Size

      3.2MB

    • MD5

      0515143005b3e92fe50594bc1e30af7b

    • SHA1

      1f565728bcc13bf1e49760c98bd96e15dacb42fc

    • SHA256

      676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53

    • SHA512

      e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c

    • SSDEEP

      49152:tevXI22SsaNYfdPBldt698dBcjH3c0TbRSLoGd7/THHB72eh2NTA:UvY22SsaNYfdPBldt6+dBcjH3c0SZ

    • Modifies visiblity of hidden/system files in Explorer

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks