General

  • Target

    Powershell Obfuscated 2.exe

  • Size

    292KB

  • Sample

    250109-abzlka1rbl

  • MD5

    f30af95c3a3c086eebf694c35dda04e2

  • SHA1

    345ec2b55213feb12c9d28a8954f9a516002be2b

  • SHA256

    7e5bff5c80bb4378e89034d0fee7b956c0b4920f15ce43dc85f103211ec24137

  • SHA512

    a439f4c3ba8698399544643e842da15fd13f4e1b96efa49527d0aba5696d0f62daa0137a185f87951969f6cd6bbbafadc356aed376707fce260e2ce8cdd496a9

  • SSDEEP

    1536:KIxTgCJepaWKK41pBcGMKs17xij+zdbOtEpfZ+sFIAO:KqTgae4WKK41p5s178j8dSe1Z+uI

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.2.110:4782

Mutex

1300aa31-7590-4a5d-99c0-1cf7ee258de3

Attributes
  • encryption_key

    0D2143EAF59053EDE8DEB526A5F17A6BCA4107D2

  • install_name

    EcomMaker.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Powershell Obfuscated 2.exe

    • Size

      292KB

    • MD5

      f30af95c3a3c086eebf694c35dda04e2

    • SHA1

      345ec2b55213feb12c9d28a8954f9a516002be2b

    • SHA256

      7e5bff5c80bb4378e89034d0fee7b956c0b4920f15ce43dc85f103211ec24137

    • SHA512

      a439f4c3ba8698399544643e842da15fd13f4e1b96efa49527d0aba5696d0f62daa0137a185f87951969f6cd6bbbafadc356aed376707fce260e2ce8cdd496a9

    • SSDEEP

      1536:KIxTgCJepaWKK41pBcGMKs17xij+zdbOtEpfZ+sFIAO:KqTgae4WKK41p5s178j8dSe1Z+uI

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks