3/ In the client builder (which creates an executable which is used for the infection), the default port is pre-configured to 4782.

4/ On ThreatFox by @abuse_ch, we see that a quarter of the samples kept this default port. [3]

The other samples use a different high port.

5/ We can create a "random" Mutex per client build, though random is not quite right. 🤔

7/ Using the example of a recent sample on Bazaar [4], we look at the Mutexes logged by @joe4security. [5]

So it seems that besides the default port also the default mutex values are used ITW.

8/ Hunting for Mutexes with @velocidex's Velociraptor with the Mutants-Hunt with the following regex:

(?-i)\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$

Which finds the infected machine in the lab 😎

9/ In networks were TLS is broken up on the proxy, the hard-coded user agent string could be used for hunting or setting up monitoring for this value. [6]

10/ Quasar uses the same persistence mechanisms as AsyncRAT, which we analyzed in a previous tweet [9].

A run-key entry is created when ran with an unprivileged user, or a new scheduled task is created when ran with administrative credentials.