General
-
Target
5263b2b6ca33bcccd88c65c8d88191e1d564f421e27a6a63ce9935bc78dc524f.bin
-
Size
3.3MB
-
Sample
211013-sggxtaecal
-
MD5
3dbcc2578008081544f897c8da00eb7a
-
SHA1
f4482885c164ec964cad395717306f09a0f68a63
-
SHA256
5263b2b6ca33bcccd88c65c8d88191e1d564f421e27a6a63ce9935bc78dc524f
-
SHA512
93c4800e51a44770e1f16ecee997f05d213ee3276fcd5b04afe0a8ad274a77ec99539228a4d75d96c9bd9fb7dfb01df69b5ab17456725476207a25ba7e4f6952
Static task
static1
Behavioral task
behavioral1
Sample
5263b2b6ca33bcccd88c65c8d88191e1d564f421e27a6a63ce9935bc78dc524f.bin.exe
Resource
win7-en-20210920
Malware Config
Extracted
quasar
2.1.0.0
gen
zaidtheboii-50153.portmap.host:50153
VNM_MUTEX_c2q7y2ayYutZ2XaYe7
-
encryption_key
Z0J9rVN8qwPnSK9m7RW5
-
install_name
OneDrive.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft OneDrive
-
subdirectory
Microsoft OneDrive
Targets
-
-
Target
5263b2b6ca33bcccd88c65c8d88191e1d564f421e27a6a63ce9935bc78dc524f.bin
-
Size
3.3MB
-
MD5
3dbcc2578008081544f897c8da00eb7a
-
SHA1
f4482885c164ec964cad395717306f09a0f68a63
-
SHA256
5263b2b6ca33bcccd88c65c8d88191e1d564f421e27a6a63ce9935bc78dc524f
-
SHA512
93c4800e51a44770e1f16ecee997f05d213ee3276fcd5b04afe0a8ad274a77ec99539228a4d75d96c9bd9fb7dfb01df69b5ab17456725476207a25ba7e4f6952
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar Payload
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-