General

  • Target

    d467f2d14bc21c2b361a485fa45998ce431e1b1a57ab2de2da583eda108baba9.zip

  • Size

    32.7MB

  • Sample

    241224-gh7n3sskew

  • MD5

    a4727e2be65d5329cc7ec679a6c693ae

  • SHA1

    0994665381dced61dd6054aa83dd86125efc8a94

  • SHA256

    d467f2d14bc21c2b361a485fa45998ce431e1b1a57ab2de2da583eda108baba9

  • SHA512

    c6de3735dc20deca3bd959a0a2fbc8c3948f6dc8a6cc3be49133d6b92edf9b048504e4a82fbcc4173e709a9e9eac964dbf9c37888dace3758b04146282d3f1a0

  • SSDEEP

    786432:Pgi48KFglmpGp2Ey3CuYTRb4lFBXDorLwDUzZsParVbRE/4g:Pg/gyGp2E5ukb2dorUU2PeP0

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SenshiDoger

C2

51.15.17.193:4782

Mutex

88fce838-f835-4ecf-a564-130da9d982d9

Attributes
  • encryption_key

    97599F6E5D14A784CC4DD36B18A277119042FDA8

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.4.0.0

Botnet

SenshiDogger

C2

51.15.17.193:222

Mutex

QUCCAE2FMOnnAHmsrK

Attributes
  • encryption_key

    en6dkTFiSUkKpYIDgQtE

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    word

  • subdirectory

    SubDir

Targets

    • Target

      dogger-qt-windows/dogger-cli.exe

    • Size

      2.0MB

    • MD5

      8ec0cb1a3536a41842c6c848187f01ed

    • SHA1

      4f99125bd35519eb52c8b1737823dfe5b1850663

    • SHA256

      b441b7395cc59ee0e692f9dca627853a4e09a32d59564be75d560620e36c9715

    • SHA512

      b966542a124e3a797505acb6697322c62d79ea0c9f031a5de61ed622c6bac32abc603d3254b48303fe4efcb13a79b43de065beebddcc6b754dad1bedbfeca428

    • SSDEEP

      24576:xLhAoAIccJD6wHRWAJ00gyX2xylirEuq4WlFFlfr9NxPmKn6RUySZ:VhAdchv05yX2x+RuDWrFlJPYRUyS

    Score
    1/10
    • Target

      dogger-qt-windows/dogger-qt.exe

    • Size

      83.6MB

    • MD5

      3c607881c805adde0f4118f2fe5ea712

    • SHA1

      72182ea0e810c18edec5dcca85efc277a51b91e7

    • SHA256

      175a0366e2f3fa190b8f9a9a447f9b9efa679c36c394f3b8b0366e63c5df4cea

    • SHA512

      9ebd2294651cb792450b1005a8c77806234b0dba4cdd09a92e1e2460a7170f27c2139c36af3c36202530cf8a24ddbe26f3425e5849a8053881fa214359289bfd

    • SSDEEP

      393216:F4TPZVLWruiFVks+9j54GXvitZQLCO5SXDqQu58EISEhoIaE2FShABZDv25PPa2k:FKRVQxhu0P8Lq1LEvxOOx5Sq

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • System Binary Proxy Execution: Regsvcs/Regasm

      Abuse Regasm to proxy execution of malicious code.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

    • Target

      dogger-qt-windows/dogger-tx.exe

    • Size

      3.6MB

    • MD5

      e26738feb17bc0eec9548a3fc831d89e

    • SHA1

      508d27b6d43d93b85a3088a954436efcfc95240a

    • SHA256

      cbdc3b3b4f12046d82892d5896c2dfdfec74afdd31a8fcd88591bf4a994895ac

    • SHA512

      c47e579be314bc54af0710f4c6e50155c6098bca5b63ee91ffa3ae0e34ddbcf1bc76f9e480bd7120d2eb11ea1b2ef832375afe9eb06356c1b744cef8f57d44c2

    • SSDEEP

      49152:zSgYFyeqz//DvplbcWPhAZ3n1kdXsHi1POi50f5ienWs0YGANMoywHhSC7LPz:zl1/DBaJumi5W2ANMoHHhrL

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks