General

  • Target

    Compiled.rar

  • Size

    5.5MB

  • Sample

    241224-vh525sspdk

  • MD5

    bfbd3b978243c18c8c93d50d53f8794b

  • SHA1

    2830bfd88e0bed2ee2678b5399185c69226f2c2f

  • SHA256

    527ac72a0ff65114e5d8cef5936eaae4764c9f01c2cf454c61dc2e1400285626

  • SHA512

    61e8b62c2cecf416fa52604b9980853424353fc1f06ba2dbda724a11daca2b8f43ebb0da98664f91aee6360c8e04f6f03e8e5cb1df71ce17cc59cdb6c9d442b7

  • SSDEEP

    98304:qVRAi6LwGr2fAP9X4EdLENlNysOtj8B0SZiXLsWow0G6Yq026v4QKJJQ8rY8f:gb6LT14flNysKodWw7w0GLqv6gQK/hrp

Malware Config

Extracted

Family

quasar

Attributes
  • encryption_key

    6DC75341715F183F008C5D5A26E1967745A885D9

  • reconnect_delay

    3000

Targets

    • Target

      Compiled/BStub_Onimai.exe

    • Size

      114KB

    • MD5

      3ec96d8142a0382bf83d0d9acca9e7b1

    • SHA1

      62908a175e371d86dd5f90841811366bdb0678f1

    • SHA256

      dcda999ce09d3dd5edd290280da150dd07720ba1e4d8cc0d62a6587a401b83fc

    • SHA512

      173e63526d03fb5efd1f552c9bb65c16b580592746514c6fa83b1b2bd903a6c9d91dfe5e79dff79de70ec30143ebbf03429c05b36f3aef35605a0e28bb7413ba

    • SSDEEP

      1536:jVrG0HWEOfQAgF0Sgb8WcP6OIUy92ShVA7gzzCAzCh3wvRnbAOsdlixs+wdQWu:jVy+W2gb5U2CAzCh3wvRnbl0Z+wqZ

    Score
    1/10
    • Target

      Compiled/Stager.exe

    • Size

      149KB

    • MD5

      98e08c9ddc69ca2b86028cc3cb1efa64

    • SHA1

      56ebf01da2329100e808bc5460e1ff597f512a82

    • SHA256

      8c1628ad812210a834d9a0d0dffae32d4057756de72ef4f80b72622786dc4038

    • SHA512

      3b97695816cc1b1199284698fef1cb572449b903c28f468740f14296307f2a5d718df0e542fb1eb5f2ec73dbfde737d8cb77bf8f08319c5fef987216c8a14f13

    • SSDEEP

      3072:PixjfPZwt68v4VjnYRawLr1SWRtLJbnOgZQBegbsu5q8fu3SsL72jV:PixjfW6WeS3NZxqlbzWSYy

    Score
    10/10
    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Suspicious use of SetThreadContext

    • Target

      Compiled/Ton618.exe

    • Size

      6.3MB

    • MD5

      f2767c94dc8fbd1a4f0140e8b2bfdf0b

    • SHA1

      3a5509b3df31289dd12b98fadc8427ccb7dc4729

    • SHA256

      e137c5e7e7fd10ae048b0a154a14ac47d1fd77b29e61863154b363ed5d0bdb3e

    • SHA512

      637f6205805d09a25c05524d7390a02cf9bfc0d5cd9ae8c90f19dc1094f24fc5fba5784b069c9c78084932768951e125448092a0151d4230cf0062d9e6b1420e

    • SSDEEP

      98304:8F8YDfU4syqa1FbbF1Z080G4/7+VyyaYBcF8YDfU4e:SSczi1/74yyaYBye

    Score
    1/10
    • Target

      Compiled/zovoX.exe

    • Size

      2.9MB

    • MD5

      1976cb5215470bbbfe6ea766aa2b9253

    • SHA1

      a9c899dbc512a5e8356731d4b1804fcbe4f6101b

    • SHA256

      dbcc095aa748c9400b3a81781f44dab6cdead04f9abbc5612a49f156c2df3aff

    • SHA512

      d6a904f2b0526435179d6d21b2d4021023451dbce44be4308cc83a6fd9d416be74fac0e4f1734005dc53d466b4dc734086ef97d59a2b6783a6d1f66f646be4b3

    • SSDEEP

      49152:XrCFFGZ0Ta3c4cF5v+kvvlEY4GO5me+90HPjxVBTvI5C8yXHxoAubGS:bC/la3cZ5v+st3OnxHPjRJ1ObT

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks