General

  • Target

    FlashingSoftwarePRO.exe

  • Size

    3.1MB

  • Sample

    241220-w7ef6asjgr

  • MD5

    b2f5d1078f1ed4eb8547f19b48dc5126

  • SHA1

    657254864bfab24f564888e230da7f46266ecb4c

  • SHA256

    4f872140210a9253c0deb66a65f0c265a194e85d99a639f406d927a1ac760903

  • SHA512

    9f850a289fd4ac3b7f1e94e8ec179b99e6ae9c78cd7ef164aefd87c4d14d9f7995c60596cc1720a17afe0fc40d32715886a9fd8695c11ac6941077e45528c882

  • SSDEEP

    49152:vvxI22SsaNYfdPBldt698dBcjH1uRJ6ebR3LoGduTHHB72eh2NT:vvi22SsaNYfdPBldt6+dBcjH1uRJ6Y

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost

C2

7.tcp.eu.ngrok.io:10771

7.tcp.eu.ngrok.io:4782

Mutex

75e27cf2-023d-4d6d-9a0d-265f3da40a2e

Attributes
  • encryption_key

    BDB44181C868606DFCA1741A69056AAA62DADEFC

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    300

  • startup_key

    RuntimeBroker

  • subdirectory

    System32

Targets

    • Target

      FlashingSoftwarePRO.exe

    • Size

      3.1MB

    • MD5

      b2f5d1078f1ed4eb8547f19b48dc5126

    • SHA1

      657254864bfab24f564888e230da7f46266ecb4c

    • SHA256

      4f872140210a9253c0deb66a65f0c265a194e85d99a639f406d927a1ac760903

    • SHA512

      9f850a289fd4ac3b7f1e94e8ec179b99e6ae9c78cd7ef164aefd87c4d14d9f7995c60596cc1720a17afe0fc40d32715886a9fd8695c11ac6941077e45528c882

    • SSDEEP

      49152:vvxI22SsaNYfdPBldt698dBcjH1uRJ6ebR3LoGduTHHB72eh2NT:vvi22SsaNYfdPBldt6+dBcjH1uRJ6Y

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks