General
-
Target
b7898c6a_by_Libranalysis
-
Size
943KB
-
Sample
210429-hpehy7bd76
-
MD5
b7898c6a6ad962f8c6eabacd63d51418
-
SHA1
d705cbd1a514ad493c5055dc2568a58666cdf73a
-
SHA256
78e4ef886190359e5dc1f29aa83ed6c99dd06f8f972f740d9884be524b3cd126
-
SHA512
cf1dd64c43a1c656aadec8c7a96d1dad99554cdb152082da97edcace7e2dbb28a3300178da9aa238bd9e63912921cb8598e8c803ffbec0d65be11ad95d363b73
Static task
static1
Behavioral task
behavioral1
Sample
b7898c6a_by_Libranalysis.exe
Resource
win7v20210408
Malware Config
Targets
-
-
Target
b7898c6a_by_Libranalysis
-
Size
943KB
-
MD5
b7898c6a6ad962f8c6eabacd63d51418
-
SHA1
d705cbd1a514ad493c5055dc2568a58666cdf73a
-
SHA256
78e4ef886190359e5dc1f29aa83ed6c99dd06f8f972f740d9884be524b3cd126
-
SHA512
cf1dd64c43a1c656aadec8c7a96d1dad99554cdb152082da97edcace7e2dbb28a3300178da9aa238bd9e63912921cb8598e8c803ffbec0d65be11ad95d363b73
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies security service
-
Quasar Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-