Overview

overview

10

Static

static

10

New folder.zip

windows10-2004-x64

1

New folder.zip

windows11-21h2-x64

1

New folder...py.exe

windows10-2004-x64

10

New folder...py.exe

windows11-21h2-x64

10

New folder...hi.msi

windows10-2004-x64

1

New folder...hi.msi

windows11-21h2-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New folder.zip

  • Size

    13.3MB

  • Sample

    240630-ngvfpaxanb

  • MD5

    1694ee8a09ebbe56390c44bae9307406

  • SHA1

    0f1886e199b60d9abd87e786e49f8a0557031052

  • SHA256

    7aa6c2e38366d1b553ce56e67f35cfa687e4ba0f7c3eaa404f5ba2449af9fbe5

  • SHA512

    8417fa25bd4769e747e539804c92223ae88c1879a8c9f3aad5e3a2f990db47d1cf319f3777cffc259fe6bff0312664f8621434419fc427d67aafdc56aa834c18

  • SSDEEP

    393216:0PfDzPD8hpXYoKMFJ4PT61E0WTTPuRr0r1+:0Pf/PY7MPTd0WTatw1+

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

10.240.115.45:4782

Mutex

2cc201c7-b02e-4a34-8806-aa9a8d33ae2d

Attributes
  • encryption_key

    64024FEFC383421D2550E88D4DBE252B6BA53116

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      New folder.zip

    • Size

      13.3MB

    • MD5

      1694ee8a09ebbe56390c44bae9307406

    • SHA1

      0f1886e199b60d9abd87e786e49f8a0557031052

    • SHA256

      7aa6c2e38366d1b553ce56e67f35cfa687e4ba0f7c3eaa404f5ba2449af9fbe5

    • SHA512

      8417fa25bd4769e747e539804c92223ae88c1879a8c9f3aad5e3a2f990db47d1cf319f3777cffc259fe6bff0312664f8621434419fc427d67aafdc56aa834c18

    • SSDEEP

      393216:0PfDzPD8hpXYoKMFJ4PT61E0WTTPuRr0r1+:0Pf/PY7MPTd0WTatw1+

    Score
    1/10
    behavioral1behavioral2

    • Target

      New folder/Client-built - Copy.exe

    • Size

      3.1MB

    • MD5

      f3802bd8f99e5c9ca6c04a7addc2d0d8

    • SHA1

      96c6b9feffe04c5fbefc48802ac0635f596c6a33

    • SHA256

      6dc99f25c5f794d14323fa2ed8ec891ea2fd81c359d676052574585471984d06

    • SHA512

      5eb55bf1c70c40124a4d4df4c20ece52d6ed060c874c01f1fe4b130056edead2dad3a3dd919a487f2dec03d7e5e684883770c48e53932ac7c44b8ab03dbb84ce

    • SSDEEP

      49152:OvjI22SsaNYfdPBldt698dBcjHAd19LoGdGTHHB72eh2NT:Ovc22SsaNYfdPBldt6+dBcjHAd11

    Score
    10/10
    quasaroffice04spywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Executes dropped EXE

    behavioral3behavioral4

    • Target

      New folder/hamachi.msi

    • Size

      13.7MB

    • MD5

      909db4061c32f798e94d746717782444

    • SHA1

      10f5ffff17d2dd4476686a941a7bcc5f9b83b1b8

    • SHA256

      6ee98db32852a2ff31a969d918bb7c730950bb15f24ea1baf996697cebc8b9fa

    • SHA512

      44e7f97b27aef2e4cb62a6a0ebab5033b99e1ec940f231eda416f3b68d83df81d10950a8ced2ca528024adecd1dea7e1d4427e78b111edbc0124d7ffd6c1232d

    • SSDEEP

      196608:cp/8gF8Li2aauOgsgJ9RSfD3G43O+WFoy1jNDVxJBQHhIO4E46uVwOXsHoHybhLf:O/382agT9RK73O+kN3JSHuy46inqUMC

    Score
    6/10

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks