General
-
Target
Comprobante de pago.doc
-
Size
58KB
-
Sample
211023-f51cvacbb4
-
MD5
f6728352bf1b5f1c78b27a34b48d8325
-
SHA1
3dbabe2f63c3cb5f1b93d969d11e3adf665e19fb
-
SHA256
0db4c87022c5db7751f85b7c3a63df7a30bf95863e1fff2d6bd5064bd0ace2a1
-
SHA512
c365babb89087a0187aa6ccdb3f7eadd7a048a08f046da44230d9d25968129cac18cbf96a81a2db66210310c02abec3c130e21f3d60e54112c7c3b5eb7976ddc
Static task
static1
Behavioral task
behavioral1
Sample
Comprobante de pago.doc
Resource
win7-en-20211014
Malware Config
Extracted
quasar
1.3.0.0
Criok
ildriendfrirotoi.zapto.org:61790
fruitingsuccess.ignorelist.com:61789
QSR_MUTEX_JS7TIscSksvJKrLXxw
-
encryption_key
7RWfQmQNDJPIz1c1QtI1
-
install_name
Updater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
Windows
Targets
-
-
Target
Comprobante de pago.doc
-
Size
58KB
-
MD5
f6728352bf1b5f1c78b27a34b48d8325
-
SHA1
3dbabe2f63c3cb5f1b93d969d11e3adf665e19fb
-
SHA256
0db4c87022c5db7751f85b7c3a63df7a30bf95863e1fff2d6bd5064bd0ace2a1
-
SHA512
c365babb89087a0187aa6ccdb3f7eadd7a048a08f046da44230d9d25968129cac18cbf96a81a2db66210310c02abec3c130e21f3d60e54112c7c3b5eb7976ddc
-
Quasar Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-