General

  • Target

    ANYX-client-build.zip

  • Size

    1.3MB

  • Sample

    241221-ph16aszjbt

  • MD5

    9c5fc6b5f2697761f24aa161566ea625

  • SHA1

    1aa1f43f8ec33e7ebe58e2eae3620c127ede9118

  • SHA256

    ecce2755fb5ea36f5c5c204d2f289a87909a1affcb3cebe7310d39617d860981

  • SHA512

    355eafcf35c114a363ef4d5d1d2f64ac495f78ce60468fb5e6919fafe97dc3719d95a37553a4e092a224feba887f29f6c439195ac32652cc446c411cdb7e0c36

  • SSDEEP

    24576:rj3xLbytPbe5ueSBfu5ehOm4XEtDtsXviD85XeTPUJIzLGzCZlfYMPMbh3bxubv:HB/ytPKpgYgkimeTPUKGYfXUbh3bxur

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

rolok44419-55109.portmap.host:55109

Mutex

0bcbf378-c5c6-4d35-b7db-11442a750cf2

Attributes
  • encryption_key

    A1C7F8E92E515420A946C210E4F8C886810ADBFD

  • install_name

    AnyLoaderV4.9.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    SubDir

Targets

    • Target

      ANYX-client-build/AnyLoaderV4.9.exe

    • Size

      3.1MB

    • MD5

      9a99be1ac8e21a3c4959702a02b25d6e

    • SHA1

      55d6230481e90c8a2f9d09956c07e3db1d03a96d

    • SHA256

      e26918aac1a313925a7aecdaeb1990788cd2e09e439cd3e5fe8d6babb89df0f1

    • SHA512

      46ae9d4d95c89afb3ed987445dcf72c71e770e99c35759a724e963952784d518530b2829b856b7818a8bc226e35fa8f243e18e35da4d7169c44edc5303159ea4

    • SSDEEP

      49152:rvelL26AaNeWgPhlmVqvMQ7XSKodL5mzSooGdw9THHB72eh2NT:rvOL26AaNeWgPhlmVqkQ7XSKodL0A

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks