General

  • Target

    Ton618.exe

  • Size

    6.6MB

  • Sample

    241224-bqt53axnhs

  • MD5

    fa55ec4c1f2bde276ead921187cf36c1

  • SHA1

    ed2ba8a4c96f4f473e13baae9f6057bcdb043519

  • SHA256

    b32538fc97c82d2e3623d1b3ea1b7daa8948399da29651a6350bb598d183027c

  • SHA512

    6941dc68fa19375f6882c3cd6cd34fa5db6de8a421194207ed076f8272e256269b923a52c8141001204d87df288179ab7d3e5fc459e031c0c64a1dbc06fe43b1

  • SSDEEP

    49152:YEBm0Yz3KSzjhnbv5+/GSJFDdykdb2FXu7J2xePZaTohmxksuO+zTzuISFYUaGxE:YEBm0YpbvaDJFDdtbF1Z08Uxvs641/

Malware Config

Extracted

Family

quasar

Attributes
  • encryption_key

    6DC75341715F183F008C5D5A26E1967745A885D9

  • reconnect_delay

    3000

Targets

    • Target

      Ton618.exe

    • Size

      6.6MB

    • MD5

      fa55ec4c1f2bde276ead921187cf36c1

    • SHA1

      ed2ba8a4c96f4f473e13baae9f6057bcdb043519

    • SHA256

      b32538fc97c82d2e3623d1b3ea1b7daa8948399da29651a6350bb598d183027c

    • SHA512

      6941dc68fa19375f6882c3cd6cd34fa5db6de8a421194207ed076f8272e256269b923a52c8141001204d87df288179ab7d3e5fc459e031c0c64a1dbc06fe43b1

    • SSDEEP

      49152:YEBm0Yz3KSzjhnbv5+/GSJFDdykdb2FXu7J2xePZaTohmxksuO+zTzuISFYUaGxE:YEBm0YpbvaDJFDdtbF1Z08Uxvs641/

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks