Overview

overview

10

Static

static

10

smss.exe

windows7-x64

10

smss.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    smss.exe

  • Size

    3.1MB

  • Sample

    240620-vtnbgashnp

  • MD5

    cdd7d0cd4d066e6c4c150ffc74ada986

  • SHA1

    30c0f4b8f36e861e894ec8e632209242dd3a200e

  • SHA256

    71647321f5450a943f19817e997b58891f101d1483170254217110397aae9439

  • SHA512

    331677d29db5d59fd34df24ce4b98e42f029b6d278710c62eea59138324e29943ca6920d298254fe5c0c230ffd10d04d2215254a0b3dffed8891b6b69d91cfba

  • SSDEEP

    49152:rvmI22SsaNYfdPBldt698dBcjHCC11Jn6oGdDTHHB72eh2NT:rvr22SsaNYfdPBldt6+dBcjHCCE

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

0.tcp.eu.ngrok.io:15861

Mutex

2e0b210d-493f-47bb-9836-a3aaec70bb3b

Attributes
  • encryption_key

    EE767A1BA3E1F0485B5445EFDAA6890E4A9D52BC

  • install_name

    dllhost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SYSWOW

Targets

    • Target

      smss.exe

    • Size

      3.1MB

    • MD5

      cdd7d0cd4d066e6c4c150ffc74ada986

    • SHA1

      30c0f4b8f36e861e894ec8e632209242dd3a200e

    • SHA256

      71647321f5450a943f19817e997b58891f101d1483170254217110397aae9439

    • SHA512

      331677d29db5d59fd34df24ce4b98e42f029b6d278710c62eea59138324e29943ca6920d298254fe5c0c230ffd10d04d2215254a0b3dffed8891b6b69d91cfba

    • SSDEEP

      49152:rvmI22SsaNYfdPBldt698dBcjHCC11Jn6oGdDTHHB72eh2NT:rvr22SsaNYfdPBldt6+dBcjHCCE

    Score
    10/10
    quasaroffice04spywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Tasks