Overview

overview

10

Static

static

10

Basic Nigga shit.bat

windows10-2004-x64

8

OpenPort47070.bat

windows10-2004-x64

8

OpenPort4782.bat

windows10-2004-x64

8

Testing.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Testing.rar

  • Size

    1.0MB

  • Sample

    250117-3y83qsxpan

  • MD5

    289ea55162774e3fcfb829e31a621a05

  • SHA1

    b129d0b6d9f3d4ca2e71a59997258dcac6679293

  • SHA256

    6f53594dbef2a88901782608ddfde6508429b8836eb9895ac2fef53cd014cd53

  • SHA512

    357a7de94b2488cf1ffd8ad5d8535033b77ca549a68ff10c39d62ddcb69a7079a2b4d044e92db83a53516b219564340fc589b26de72a1f7756ac74bad8556dad

  • SSDEEP

    24576:gFSpkYCor87scmZrfx2PHd6WYa6UgvyU1:yY7r87slzKWa6tvT

Score
10/10
quasaroffice04evasionexecutionpersistenceprivilege_escalationspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.40.122:4782

rayanneaa-47070.portmap.host:47070
Mutex

f1780d6b-a6ee-4632-9816-f23bb146f81e

Attributes
  • encryption_key

    F38746D956F52C2D74C5EA46908D0B22D4BB8A0C

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      Basic Nigga shit.bat

    • Size

      594B

    • MD5

      732934e81e3bb431f01edc8a8877be02

    • SHA1

      55d4c0c8019d7010a210d0c3b266ca2704532e91

    • SHA256

      68581cd6e309ee7fb59a5cfd7922ce3af8fd4976c38a9cdf022ad82b3e61af6d

    • SHA512

      145e3c25be6875204b635663771bb1fbcfc77f8d12c447873da646d6bd35990f2dd538ffc349ae85b42652a0dfe2ed85dff4a465f567f4712c0a611ccf11afc3

    Score
    8/10
    evasionexecutionpersistenceprivilege_escalation

    • Modifies Windows Firewall

      evasion

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution
    behavioral1

    • Target

      OpenPort47070.bat

    • Size

      579B

    • MD5

      e130dfa59b9fc3ab6088197bbe40dd93

    • SHA1

      7e376e6ff51dd6fd2620a9a9f3c5482cde45b351

    • SHA256

      e1e743e138ed050ab8bc1f76ea7ff88b0d533870047d19204318499c8c88cfa2

    • SHA512

      02b6b63c9d86f92774f4e85e9cfd8a055d958dd4c2d16a9a9cb765e8f267e3b1bed7bff304f39fdf61a0ef1e441b851bad1e26ca2af576c8a1459f363163d59d

    Score
    8/10
    evasionexecutionpersistenceprivilege_escalation

    • Modifies Windows Firewall

      evasion

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution
    behavioral2

    • Target

      OpenPort4782.bat

    • Size

      578B

    • MD5

      6bf40b3e2356b26bd4cb6dc373ccfbbc

    • SHA1

      fc3999705f0e5966629acab92c5ee8e106ee4353

    • SHA256

      ea764ca9b6ebebdc2b7d904438632a3bb9474fa4413b0da7454ad544796f2db9

    • SHA512

      35486de07e0ba8757d9237489488427ebd9f2d934f6132709f340ca5316312aa7aaed0581e7c4c89bb50693a1a6c15fbbf33d4088367b16ea9d97a0051e6d7a9

    Score
    8/10
    evasionexecutionpersistenceprivilege_escalation

    • Modifies Windows Firewall

      evasion

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution
    behavioral3

    • Target

      Testing.exe

    • Size

      3.1MB

    • MD5

      db959977d9acce58e61aa4ef12821dce

    • SHA1

      7e50e26cef4f9a717401d84d8550958bb074ba76

    • SHA256

      21938faab3c33d56e889851cb0f81046154d14be56847374948879b6a19fb4a7

    • SHA512

      f52ac84c3eddf50deed156fcfa291dde981c4179aea1b72984791332389d8add9b68d541a47bfdc3632fdf745d6f0e1465c74187a9057ee5cb570a63e2b7955f

    • SSDEEP

      49152:WvtG42pda6D+/PjlLOlg6yQipVG8azxEhKvJqFoGdlTHHB72eh2NT:WvE42pda6D+/PjlLOlZyQipVVhr

    Score
    10/10
    quasaroffice04spywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Executes dropped EXE

    behavioral4

MITRE ATT&CK Enterprise v15

Tasks