Overview

overview

10

Static

static

10

CHEAT.rar

windows10-ltsc 2021-x64

10

CHEAT.rar

windows11-21h2-x64

8

#524#@7asRFj438!!.exe

windows10-ltsc 2021-x64

10

#524#@7asRFj438!!.exe

windows11-21h2-x64

10

Config.ini

windows10-ltsc 2021-x64

3

Config.ini

windows11-21h2-x64

3

HVCI/MbixMY.exe

windows10-ltsc 2021-x64

9

HVCI/MbixMY.exe

windows11-21h2-x64

9

HVCI/Steam.exe

windows10-ltsc 2021-x64

9

HVCI/Steam.exe

windows11-21h2-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CHEAT.rar

  • Size

    36.3MB

  • Sample

    250209-w1dlaayncj

  • MD5

    203ba38accab7ff9b181c88176d7e17f

  • SHA1

    33bd9fc89e77faed86bda399d018f9413f6eba73

  • SHA256

    eab5f974ec202f9576335f50646b1a7e6725557b1227b8f96ecc889c15498905

  • SHA512

    2cc04354147ef18f22c753303f4417744d349d41a1eb6ea28ef8ffad3831aa3e6317b698c24b3c1dc0ef60ed4e38564d21be4afc9a485ea22ec75dbe739f76a7

  • SSDEEP

    786432:cQ1zPwv64YV/iSmT3kJtj88ZEP87mD+cmodF2fppwcPX/fzi82lb7O:hLB4YMhT0JtiKmiodiHvPWJlb7O

Score
10/10
quasaroffice04defense_evasiondiscoveryexecutionpersistencespywarethemidatrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

10.0.1.100:4782

Mutex

ed337c2a-f410-44a6-a75b-740207b7d8db

Attributes
  • encryption_key

    6D00964D3D31D45131A3ECADA49AED6AAB6AAED0

  • install_name

    CHEAT.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      CHEAT.rar

    • Size

      36.3MB

    • MD5

      203ba38accab7ff9b181c88176d7e17f

    • SHA1

      33bd9fc89e77faed86bda399d018f9413f6eba73

    • SHA256

      eab5f974ec202f9576335f50646b1a7e6725557b1227b8f96ecc889c15498905

    • SHA512

      2cc04354147ef18f22c753303f4417744d349d41a1eb6ea28ef8ffad3831aa3e6317b698c24b3c1dc0ef60ed4e38564d21be4afc9a485ea22ec75dbe739f76a7

    • SSDEEP

      786432:cQ1zPwv64YV/iSmT3kJtj88ZEP87mD+cmodF2fppwcPX/fzi82lb7O:hLB4YMhT0JtiKmiodiHvPWJlb7O

    Score
    10/10
    quasaroffice04defense_evasiondiscoveryexecutionpersistencespywarethemidatrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      #524#@7asRFj438!!.exe

    • Size

      3.1MB

    • MD5

      09ffcbccc1a4884f357781111b762d2e

    • SHA1

      386be8f85e983815580d9a83f635dd1a802886db

    • SHA256

      38a42d31c6741ceeceedaf2ba07e753863a81bcfed604df7df03fcb975980c82

    • SHA512

      d0f656806c760c0352699ff43125876a4f264da1675400d81ea085bec9341a5cdf9834c6d5eeef0b7df417a0a86acbaebbc9babd5848096612d15a57f4a668f4

    • SSDEEP

      49152:avCI22SsaNYfdPBldt698dBcjHWjRJ6gbR3LoGdEsYaGTHHB72eh2NT:avP22SsaNYfdPBldt6+dBcjHWjRJ66H

    Score
    10/10
    quasaroffice04discoveryspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    behavioral3behavioral4

    • Target

      Config.ini

    • Size

      367B

    • MD5

      7454df6cd0d28e81275ed4280bb78f3a

    • SHA1

      2dcf07cabfd953c685fa6f2aae7d71eec33adee8

    • SHA256

      767cba75d23ddcf7822abac7461053f3ddcc315ebe5974d31e7a2a8ac574c15f

    • SHA512

      2bbb290f41909c1b0c4657cd385b896b0ae57041cd34e6204c6d3b61f0e42a49e2a72cd4d94296b93cd2ec49d2edf1ee2d2946045dceabdc58a8f293bca6378a

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      HVCI/MbixMY.exe

    • Size

      19.7MB

    • MD5

      09e04205ee2e4b53e2bbaa249baf2598

    • SHA1

      05da5d90f8bbca7fc3999da1bd9e2b0e11de0197

    • SHA256

      60afe971d2f46a4ccf942b83c666a2f8a88927fea173fa99f227348f65cadcb0

    • SHA512

      d5393035d8507cf51168873970ae76da51113f411bb3b1998ff73307d5ed4ea979fe4d61fd88db12d81c47ce815987f239762cc683b10dd749201c0c8c7ba2b5

    • SSDEEP

      393216:lDahR5qGWQrGH+ipoatUWIDqBuH7iUFmO9BHq12s1T5oL34UMqt:lDapqGWe1bauqBXSmO7HQDtG0qt

    Score
    9/10
    defense_evasiondiscoverythemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      HVCI/Steam.exe

    • Size

      15.9MB

    • MD5

      8aac8c3763433c4633f9df18099454d8

    • SHA1

      488b942dc7da1066a2ca1531319dd91828501b44

    • SHA256

      841b830d52ffa466dcf7bc00f47f9097634782b4028ecc512ffb0ffb49107a92

    • SHA512

      200aabc46b9d25952906e3f6badab8802dd6fe2d3be598e92792ffdb6c2834042921ae441aae4c6cb8e51b9e1fadd2ad1a30f21ef7d0ff38da002b7b1ed96e7b

    • SSDEEP

      393216:BYSiS7PfvNPUBiLB1VSNq/+FEQ7jPeF7Bp6ibY4Tj:BYiXvFUxQO2np6UTj

    Score
    9/10
    defense_evasiondiscoveryexecutionpersistencethemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

6
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks