General
-
Target
178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de
-
Size
6.8MB
-
Sample
220215-txchpshab2
-
MD5
4d8eb19e4c6ad857cf5f0b1eed9613a6
-
SHA1
a907eb422049512f9efcfbefc7bf9fb5a2500d89
-
SHA256
178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de
-
SHA512
74a2be4e0acdb4378f20a7b9ca4ac753fa0faad57b67163d087e1ec79df808e1ffc2d5687e6404a126645939f4dd8128a095077d85ac933aaa7fdeba3e4714ce
Static task
static1
Behavioral task
behavioral1
Sample
178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe
Resource
win7-en-20211208
Malware Config
Extracted
quasar
1.4.0
VapeUser
pangrowman.myddns.me:4782
d7ca8b59-e988-46e5-b633-b83737aaab77
-
encryption_key
843E9B8CFBAC676CE893EA246D37E169B7DB0FB4
-
install_name
MicrosoftSupport.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
Windows Support
-
subdirectory
Windows
Targets
-
-
Target
178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de
-
Size
6.8MB
-
MD5
4d8eb19e4c6ad857cf5f0b1eed9613a6
-
SHA1
a907eb422049512f9efcfbefc7bf9fb5a2500d89
-
SHA256
178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de
-
SHA512
74a2be4e0acdb4378f20a7b9ca4ac753fa0faad57b67163d087e1ec79df808e1ffc2d5687e6404a126645939f4dd8128a095077d85ac933aaa7fdeba3e4714ce
-
Quasar Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-