Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Quasar #RAT #NET #RAR #PWD #PS
- https://pastebin.com/EnDmzkhL
- previous_contact:
- n/a
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
- attack_vector
- --------------
- email attach .zip > .rar1 > .rar2 (multi) PWD > .exe1 > cmd > powershell > get exe2 > AppData\Roaming\DVG8873\Update.exe
- # # # # # # # #
- email_headers
- # # # # # # # #
- n/a
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 727c60799e6583faf533baa5aa19219e694cf4c6e87ccd3343df784652b15ac3
- File name Запит.zip [ Zip archive data, at least v1.0 to extract, compression method=store ]
- File size 149.11 KB (152688 bytes)
- SHA-256 c304ffc2f06103d4b60c0ec37a0912f0cefb6ba60273d456d94bb4f6453fa68e
- File name Запит.rar [ RAR archive data, v5 ]
- File size 148.72 KB (152292 bytes)
- SHA-256 c5fe2158ba8a017a7548e13c90ffb8e3e6ff0f477094f5f5edc1ebf1de85adab
- File name Електронний запит.part1.rar [ RAR archive data, v5 ] part, PWD
- File size 53.00 KB (54272 bytes)
- SHA-256 b07d36986470cd09256ecba5c11bc16b083776cf61480d9beedc7f0d959b3b23
- File name Електронний запит.part2.rar [ RAR archive data, v5 ] part, PWD
- File size 53.00 KB (54272 bytes)
- SHA-256 e3522b418b77fee951e14e559be564d148d1c8ab905dbeee5d03c628368fe2b0
- File name Електронний запит.part3.rar [ RAR archive data, v5 ] part, PWD
- File size 42.01 KB (43022 bytes)
- SHA-256 76fb1494f160bb15a94de3401187fa0f4e64c1cff9a4dad27f0b24a8c8786950
- File name Електронний запит.EXE
- File size 204.50 KB (209408 bytes) [ PE32+ executable (GUI) x86-64 ] Loader
- SHA-256 e8af36287e2270581fd5f2d28c6e0b83b337f58d430554d28dbf55d2ca09fcca
- File name gbquas.exe Update.exe [ PE32 executable (GUI) Intel 80386 Mono/.Net assembly ] Quasar
- File size 18.02 MB (18899968 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR bitbucket_org /yener3 /yener3 /downloads /gbquas.exe
- C2 77_105_132_124 : 4899
- 77_105_132_124 : 2525
- 77_105_132_70 : 2525
- 77_105_132_70 : 4899
- netwrk
- --------------
- 104_192_141_1 bitbucket.org 443 TLSv1.2 Client Hello
- 3_5_27_150 bbuseruploads.s3.amazonaws.com 443 TLSv1.2 Client Hello
- 77_105_132_124 4899 TLSv1.2 Client Hello
- 77_105_132_124 2525 TLSv1.2 Client Hello
- 77_105_132_70 2525 TLSv1.2 Client Hello
- 77_105_132_70 4899 TLSv1.2 Client Hello
- comp
- --------------
- powershell.exe TCP 104_192_141_1 443 ESTABLISHED
- powershell.exe TCP 3_5_27_150 443 ESTABLISHED
- Update.exe TCP 77_105_132_124 2525 FIN_WAIT2
- Update.exe TCP 77_105_132_70 4899 FIN_WAIT2
- [System] TCP 77_105_132_124 2525 TIME_WAIT
- proc
- --------------
- C:\Users\operator\Desktop\Електронний запит.EXE
- C:\Windows\system32\cmd.exe /c sws.bat && test2.exe
- C:\Windows\system32\cmd.exe /S /D /c" echo f "
- C:\Windows\system32\xcopy.exe /s test2.bat "C:\TEMP\persistent2\test2.bat"
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBE ....
- C:\Windows\system32\reg.exe add HKCU\Software\Classes\.omg\Shell\Open\command /d C:\Users\ADMINI~1\AppData\Local\Temp\persistent2\test2.exe /f
- C:\Windows\system32\reg.exe add HKCU\Software\Classes\ms-settings\CurVer /d .omg /f
- C:\Windows\system32\reg.exe delete HKCU\Software\Classes\.omg\ /f
- C:\Windows\system32\reg.exe delete HKCU\Software\Classes\ms-settings\ /f
- C:\Users\operator\AppData\Roaming\gbquas.exe
- C:\Users\operator\AppData\Roaming\gbquas.exe
- C:\Users\operator\AppData\Roaming\DVG8873\Update.exe
- C:\Users\operator\AppData\Roaming\DVG8873\Update.exe
- C:\TEMP\IXP000.TMP\test2.exe
- C:\Windows\system32\cmd.exe /c "test2.bat"
- C:\Windows\system32\net.exe session
- C:\Windows\system32\net1.exe session
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 09.01.2024 12:59
- Update PDF Reader for Windows 10 Setup PDFLogic Corporation
- c:\users\operator\appdata\roaming\dvg8873\update.exe 08.01.2024 16:31
- drop
- --------------
- C:\Users\operator\AppData\Roaming\gbquas.exe
- %temp%\IXP000.TMP\test2.exe
- %temp%\\IXP001.TMP\test2.bat
- %temp%\\IXP000.TMP\sws.bat
- # # # # # # # #
- additional info
- # # # # # # # #
- version 1.4.1
- subdirectory DVG8873
- install name Update.exe
- mutex 4f6b11a0-3dfc-4b48-b2dc-1f9ff07a13ad
- startup key Update
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/727c60799e6583faf533baa5aa19219e694cf4c6e87ccd3343df784652b15ac3/details
- https://www.virustotal.com/gui/file/c304ffc2f06103d4b60c0ec37a0912f0cefb6ba60273d456d94bb4f6453fa68e/details
- https://www.virustotal.com/gui/file/c5fe2158ba8a017a7548e13c90ffb8e3e6ff0f477094f5f5edc1ebf1de85adab/details
- https://www.virustotal.com/gui/file/b07d36986470cd09256ecba5c11bc16b083776cf61480d9beedc7f0d959b3b23/details
- https://www.virustotal.com/gui/file/e3522b418b77fee951e14e559be564d148d1c8ab905dbeee5d03c628368fe2b0/details
- https://www.virustotal.com/gui/file/76fb1494f160bb15a94de3401187fa0f4e64c1cff9a4dad27f0b24a8c8786950/details
- https://analyze.intezer.com/analyses/09ce9fa3-48cd-4bef-8de9-736e869e1949/iocs
- https://www.virustotal.com/gui/file/e8af36287e2270581fd5f2d28c6e0b83b337f58d430554d28dbf55d2ca09fcca/details
- https://www.unpac.me/results/3e4970c1-3423-49b4-b128-b0a6358bc9bf
- VR
Add Comment
Please, Sign In to add comment