General
-
Target
05603775ae6c66c7207556660da29de4.exe
-
Size
13.8MB
-
Sample
211206-hblcyaddgj
-
MD5
05603775ae6c66c7207556660da29de4
-
SHA1
96f1bed1e99e6cd51c4973a8b586f08097009c15
-
SHA256
09ac2a0cc0277beb2b85f5d29b4531e65fb1a25e126f89b8a5ad6d0ba04ef369
-
SHA512
7aa7620eda7d2a369414abb6d94671a3b8f039d4fce6dabedcc1daba1c0f91468555512dc7827e050b61168a77a4c2f8636eb8ba4a26b399c22a88709d8c5326
Static task
static1
Behavioral task
behavioral1
Sample
05603775ae6c66c7207556660da29de4.exe
Resource
win7-en-20211104
Malware Config
Extracted
quasar
2.8.0.1
Driver
134.255.220.204:4782
6IzunZymIRucbMwSQj
-
encryption_key
85wBI2y5JEbQcrqb3u8l
-
install_name
Driver.exe
-
log_directory
Driver
-
reconnect_delay
1000
-
startup_key
RealtekĀ® High Definition Audio Driver
-
subdirectory
RealtekĀ® High Definition Audio Driver
Targets
-
-
Target
05603775ae6c66c7207556660da29de4.exe
-
Size
13.8MB
-
MD5
05603775ae6c66c7207556660da29de4
-
SHA1
96f1bed1e99e6cd51c4973a8b586f08097009c15
-
SHA256
09ac2a0cc0277beb2b85f5d29b4531e65fb1a25e126f89b8a5ad6d0ba04ef369
-
SHA512
7aa7620eda7d2a369414abb6d94671a3b8f039d4fce6dabedcc1daba1c0f91468555512dc7827e050b61168a77a4c2f8636eb8ba4a26b399c22a88709d8c5326
-
Quasar Payload
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-