Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://medai.tv

windows10-2004-x64

Resubmissions

30-12-2024 03:24

241230-dyd5xswqbv 10

30-12-2024 03:20

241230-dvvy9swpcy 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://medai.tv

  • Sample

    241230-dyd5xswqbv

Score
10/10
quasar28evasionexecutionphishingransomwarespywaretrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://captcha.cam/file.b64

Extracted

Family

quasar

Version

1.4.1

Botnet

28

C2

194.26.192.167:2768

Mutex

859d5f90-e2d0-4b2d-ba9f-5371df032ec2

Attributes
  • encryption_key

    BE2B0B270E4DB19CAA5C42E9D2EBF64645A2D055

  • install_name

    RuntimeBroker.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    RuntimeBroker

  • subdirectory

    RuntimeBroker

Targets

    • Target

      http://medai.tv

    Score
    10/10
    quasar28evasionexecutionphishingransomwarespywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • A potential corporate email address has been identified in the URL: currency-file@1

      phishing

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks