General
-
Target
19311fa543ef6d6eca7d344c9eb1903634ed126452f5cb824867e5aed0ee86f0
-
Size
3.8MB
-
Sample
220222-r9lwssabd6
-
MD5
3b27377743fc96fe8ddc6aa68ba64366
-
SHA1
b1391a4a9d29246c6e8f758024a91aeb031f11cb
-
SHA256
19311fa543ef6d6eca7d344c9eb1903634ed126452f5cb824867e5aed0ee86f0
-
SHA512
d58f3037620ee4f84b392a10be9738d7f31f93fac0ae89f6ec40f3825e598b123aab7b7d20c2bff83600cb727a2550691bf3995cbc704472dfc52ed26807bb68
Static task
static1
Behavioral task
behavioral1
Sample
19311fa543ef6d6eca7d344c9eb1903634ed126452f5cb824867e5aed0ee86f0.exe
Resource
win7-en-20211208
Malware Config
Extracted
quasar
1.3.0.0
Sys32
184.105.238.80:4782
QSR_MUTEX_IBj5UlCqsXE96x1jgF
-
encryption_key
mZfAUjkKkw53M41DGa6d
-
install_name
System32.exe
-
log_directory
Sys32Logs
-
reconnect_delay
3000
-
startup_key
System32
-
subdirectory
SubDir
Targets
-
-
Target
19311fa543ef6d6eca7d344c9eb1903634ed126452f5cb824867e5aed0ee86f0
-
Size
3.8MB
-
MD5
3b27377743fc96fe8ddc6aa68ba64366
-
SHA1
b1391a4a9d29246c6e8f758024a91aeb031f11cb
-
SHA256
19311fa543ef6d6eca7d344c9eb1903634ed126452f5cb824867e5aed0ee86f0
-
SHA512
d58f3037620ee4f84b392a10be9738d7f31f93fac0ae89f6ec40f3825e598b123aab7b7d20c2bff83600cb727a2550691bf3995cbc704472dfc52ed26807bb68
Score10/10-
Quasar Payload
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-