General
-
Target
550b51d2a09fb0f3de57d1a11327235fa3349f8ae3605b065b9e85b44c00bbee
-
Size
3.3MB
-
Sample
220310-v4mgxscefk
-
MD5
6e582307cd30f4d9d3090ad09029a054
-
SHA1
f3acdde16804c9034ed025ad78b3000375135ab7
-
SHA256
550b51d2a09fb0f3de57d1a11327235fa3349f8ae3605b065b9e85b44c00bbee
-
SHA512
c284503f042fed5d1f56042f803e0eb169d7a265ecda70112cc467bf47b879dab756230da0f9f202f0f8cd8841d3ecd49f59fcd2a6fea7cc3e8023e8a4dddd2d
Static task
static1
Behavioral task
behavioral1
Sample
550b51d2a09fb0f3de57d1a11327235fa3349f8ae3605b065b9e85b44c00bbee.exe
Resource
win7-20220223-en
Malware Config
Extracted
quasar
1.3.0.0
Sys32
184.105.238.80:4782
QSR_MUTEX_IBj5UlCqsXE96x1jgF
-
encryption_key
mZfAUjkKkw53M41DGa6d
-
install_name
System32.exe
-
log_directory
Sys32Logs
-
reconnect_delay
3000
-
startup_key
System32
-
subdirectory
SubDir
Targets
-
-
Target
550b51d2a09fb0f3de57d1a11327235fa3349f8ae3605b065b9e85b44c00bbee
-
Size
3.3MB
-
MD5
6e582307cd30f4d9d3090ad09029a054
-
SHA1
f3acdde16804c9034ed025ad78b3000375135ab7
-
SHA256
550b51d2a09fb0f3de57d1a11327235fa3349f8ae3605b065b9e85b44c00bbee
-
SHA512
c284503f042fed5d1f56042f803e0eb169d7a265ecda70112cc467bf47b879dab756230da0f9f202f0f8cd8841d3ecd49f59fcd2a6fea7cc3e8023e8a4dddd2d
-
Quasar Payload
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-