General
-
Target
05F1FFA1EC36931CC7EEA37BEC05882E59B185E237B48.exe
-
Size
109KB
-
Sample
220305-t1c9eagff6
-
MD5
1755e55d32771a3d51e049ef4ee9f7ef
-
SHA1
bbfcea2e25a843d2d2c4023ed026809c0a173e88
-
SHA256
05f1ffa1ec36931cc7eea37bec05882e59b185e237b4832fc0abe393dd5e0519
-
SHA512
be18e1db9cfa88a41d3cf8945399d16aa145b905687a78324f0fb4cbea94a4d7dc6354975ab938fb2e9ab30469ac47f9ce3858485a132bd5354cafd0920cc328
Static task
static1
Behavioral task
behavioral1
Sample
05F1FFA1EC36931CC7EEA37BEC05882E59B185E237B48.exe
Resource
win7-20220223-en
Malware Config
Extracted
https://cdn.discordapp.com/attachments/935052169835593748/936336201043042364/MarsisESP.sln
Extracted
https://cdn.discordapp.com/attachments/935052169835593748/935052475730391070/Cheats.exe
Extracted
quasar
1.4.0
Cheats
anubisgod.duckdns.org:1338
6f2a7175-754c-4ce5-a610-2f8866732c05
-
encryption_key
0411D8B9B23547F86733347B0634010F112E158F
-
install_name
dlscord.exe
-
log_directory
dlscordLogs
-
reconnect_delay
3000
-
startup_key
dlscord
-
subdirectory
dlscord
Targets
-
-
Target
05F1FFA1EC36931CC7EEA37BEC05882E59B185E237B48.exe
-
Size
109KB
-
MD5
1755e55d32771a3d51e049ef4ee9f7ef
-
SHA1
bbfcea2e25a843d2d2c4023ed026809c0a173e88
-
SHA256
05f1ffa1ec36931cc7eea37bec05882e59b185e237b4832fc0abe393dd5e0519
-
SHA512
be18e1db9cfa88a41d3cf8945399d16aa145b905687a78324f0fb4cbea94a4d7dc6354975ab938fb2e9ab30469ac47f9ce3858485a132bd5354cafd0920cc328
-
Quasar Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-