General
-
Target
5c395df95b067f10c115f92e193d7f61bc6ce05eefb20bfc86aac86f278e0600.vbs
-
Size
1KB
-
Sample
211017-h3hfcscdg9
-
MD5
010eb448243fbab8334a1c528ec2e356
-
SHA1
35c7cb4272dd30c97711284673b60e9bf8aa105e
-
SHA256
5c395df95b067f10c115f92e193d7f61bc6ce05eefb20bfc86aac86f278e0600
-
SHA512
846869584bd44dfe8cbc96bb4e6a32e3a317a027646e4715253c226147941c1f934d0927e6a92262717a07cb77aa76e5c20721c72702cc4ded98523c954ce127
Static task
static1
Malware Config
Extracted
quasar
1.3.0.0
8
3.36.121.136:4782
QSR_MUTEX_2buErdxrYVW8JvhTM4
-
encryption_key
HHPAsaGEK7mx9XJmMzI4
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
10
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
5c395df95b067f10c115f92e193d7f61bc6ce05eefb20bfc86aac86f278e0600.vbs
-
Size
1KB
-
MD5
010eb448243fbab8334a1c528ec2e356
-
SHA1
35c7cb4272dd30c97711284673b60e9bf8aa105e
-
SHA256
5c395df95b067f10c115f92e193d7f61bc6ce05eefb20bfc86aac86f278e0600
-
SHA512
846869584bd44dfe8cbc96bb4e6a32e3a317a027646e4715253c226147941c1f934d0927e6a92262717a07cb77aa76e5c20721c72702cc4ded98523c954ce127
-
Quasar Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-