General
-
Target
980c16ace3de850ecab59d309e5e36ccc876ca917b2ae282f07a92c7cb75e973
-
Size
429KB
-
Sample
211219-r67dbsgeb2
-
MD5
9421080325b399fe52f19a5069176df0
-
SHA1
64ef50ff83a597c5dfedc850528922e9afd9874a
-
SHA256
980c16ace3de850ecab59d309e5e36ccc876ca917b2ae282f07a92c7cb75e973
-
SHA512
4275f4050e027c922249af8c199e5bf6ff3c1511ecb71608cfd9b867b3819a0d372ddac910a8a4187e969f88fd030185ebf94ce33023cd8a16b40c894816e5a2
Static task
static1
Behavioral task
behavioral1
Sample
980c16ace3de850ecab59d309e5e36ccc876ca917b2ae282f07a92c7cb75e973.exe
Resource
win10-en-20211208
Malware Config
Extracted
quasar
1.4.0.0
Hacked
shadowhost.ddns.net:36000
hsZQSoSXcLWLWzB5Tq
-
encryption_key
qtt3efuuXlzXZe7rvxla
-
install_name
Runtime Broker.exe
-
log_directory
KeysLOGGER Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
SystemMain
Targets
-
-
Target
980c16ace3de850ecab59d309e5e36ccc876ca917b2ae282f07a92c7cb75e973
-
Size
429KB
-
MD5
9421080325b399fe52f19a5069176df0
-
SHA1
64ef50ff83a597c5dfedc850528922e9afd9874a
-
SHA256
980c16ace3de850ecab59d309e5e36ccc876ca917b2ae282f07a92c7cb75e973
-
SHA512
4275f4050e027c922249af8c199e5bf6ff3c1511ecb71608cfd9b867b3819a0d372ddac910a8a4187e969f88fd030185ebf94ce33023cd8a16b40c894816e5a2
Score10/10-
Quasar Payload
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Sets service image path in registry
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-