Overview

overview

10

Static

static

3

Read-Me.txt

windows7-x64

1

Read-Me.txt

windows10-2004-x64

1

burpsuite2.1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Packburpsuite21.rar

  • Size

    208.8MB

  • Sample

    250105-2vtm7syjft

  • MD5

    7d21c6d05d4cd5deb4e8f0123804a833

  • SHA1

    94d309b8c65cdf88c52d9e6bd3c0085cee33f16d

  • SHA256

    435cef541072c4e67643602b1c93277efaa122246c10f9e1a6d7fadcdedca947

  • SHA512

    5ede8e6bc4d41665620c4824ed1a1c3bdb3127450fa5dea1406a82b7ceb8cb18f5e9081d9ad792e66df912096b54ca0f7f000b4924a1743566285940b46aef5b

  • SSDEEP

    6291456:wfDlqvXnRovMwPG3JAZqKdy/z/PhJlTz6:wfxqpoTPG3JFKdozBJtz6

Score
10/10
quasarloomisdiscoverypersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

loomis

C2

sytemmediacom.hopto.org:4444

Mutex

QSR_MUTEX_AaT6YOWjH9nv7lraZU

Attributes
  • encryption_key

    l1npLAHvnEPdMOUavOPM

  • install_name

    svhostt.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svhostt

  • subdirectory

    SubDir

Targets

    • Target

      Read-Me.txt

    • Size

      169B

    • MD5

      eaa6018aa11f6533cd4ce7ad9f32813d

    • SHA1

      a806f40b46eb875c3d524cd2bc38ec6faf843eb6

    • SHA256

      8d1e4273408e008d516a5c2ff96a38de3959adc71a49e7a5007774064a4e93f0

    • SHA512

      0e5dff3af21ef92e60a0d96224d6560be838ec8f71d9add63844ed224d42bf146f431d11d7a3c8a31ca4e0abd325d22a17731f930850684293ab51906298c0cb

    Score
    1/10
    behavioral1behavioral2

    • Target

      burpsuite2.1.EXE

    • Size

      208.5MB

    • MD5

      bd85c0bcec470d54b3f697174fd733aa

    • SHA1

      9aa3c62a72495ad25db82d0215c2cce285952083

    • SHA256

      1ac62e3a8c0e4e3da8a0e8d33357597d8c6e52687783beb9b54caa4e1394655d

    • SHA512

      ec6fec4812e0717b21025839da039fb0627cdcbe6d199ef0e0d02530348385e2c535b7291b427d5dbfc5a349dcc45fd6405af35c5dfb23dcd90fcd000a4a5401

    • SSDEEP

      3145728:w4gxW5XbLm7Gf6tCgR7TE1bHGxVITiJdwnjMphAU3zVWA81w3LytJJ5QRrur6XyJ:w4OrRTgbHGkMdajmT18mgvSm6CZDxRH

    Score
    10/10
    quasarloomisdiscoverypersistencespywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3

MITRE ATT&CK Enterprise v15

Tasks