Severity
Medium
Analysis Summary
Quasar is a publicly-available Remote Access Tool (RAT) for Windows hosts. This RAT is being distributed as malware through malicious spam (malspam). This is an invoice themed malspam posing to be coming from Emirates Industrial City. Below is a screenshot of the email from isc institute.
Impact
Unauthorized Access Remote Code Execution
Indicators of Compromise
IP(s) / Hostname(s)
192[.]3[.]204[.]194 45[.]74[.]60[.]135
URLs
hxxs[:]//www[.]tradersbolt[.]com/126/invoice1[.]exe mail[.]totallyanonymous[.]com www[.]tradersbolt[.]com ip-api[.]com greatest.ddns[.]net puu[.]sh icanhazip[.]com
Email Address
tpwilkins[@]yahoo[.]co[.]jp alsaqr3[@]eim.ae
Email Subject
Hello [Target’s name] Urgent Account details confirmation for payment
Malware Hash (MD5/SHA1/SH256)
abc980ebd2463ff522ff090914cc21d02915f643f385ee0ea0af23d51a18e47f 36bbba67af90faf31808412008c61db3 065ac3f23800921135b1794706aca86ab59c94ab463c5c17a4d3535bf9aab828 101e6dfba90b9b82a23caf5e47f72e97 389863b056fa0c3d4ebf130103445bc56769824f1e6cecea9c950744b80752b0 28a627d45425192d6f28fd0d324445d7 edcbbb59405b2bb97269ed5db32a15b57154221adb9504ff828ee367953cccc1 dd53b81b262364cd0051cdeb3bd54c7d
Remediation
Block the threat indicators at their respective controls. Do not download email attachments coming from untrusted sources.