General
-
Target
85e8b908422ff5433e4c955c4a2fc7ce8a620ad36fcc4eca6053ac5545ac2554
-
Size
430KB
-
Sample
220327-b5bl9sgbek
-
MD5
af0433a407830ec84667a6362eed8a42
-
SHA1
c54bb509f451fba6ca80c4d01691457fc3a1b750
-
SHA256
85e8b908422ff5433e4c955c4a2fc7ce8a620ad36fcc4eca6053ac5545ac2554
-
SHA512
9be32367bcafb5d695e7f31fa630ec01d763581852c38bef3c03a35c59187934ef968354884daf5ef889821a59adfd8f911bde841f638e2c36643f50d9828d0e
Static task
static1
Behavioral task
behavioral1
Sample
85e8b908422ff5433e4c955c4a2fc7ce8a620ad36fcc4eca6053ac5545ac2554.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
85e8b908422ff5433e4c955c4a2fc7ce8a620ad36fcc4eca6053ac5545ac2554.exe
Resource
win10v2004-20220331-en
Malware Config
Extracted
quasar
1.3.0.0
1127
devils.shacknet.us:4782
QSR_MUTEX_H4ekUmBSgCWszBiPWN
-
encryption_key
tgW5GJ07giRPamWPjP4J
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
85e8b908422ff5433e4c955c4a2fc7ce8a620ad36fcc4eca6053ac5545ac2554
-
Size
430KB
-
MD5
af0433a407830ec84667a6362eed8a42
-
SHA1
c54bb509f451fba6ca80c4d01691457fc3a1b750
-
SHA256
85e8b908422ff5433e4c955c4a2fc7ce8a620ad36fcc4eca6053ac5545ac2554
-
SHA512
9be32367bcafb5d695e7f31fa630ec01d763581852c38bef3c03a35c59187934ef968354884daf5ef889821a59adfd8f911bde841f638e2c36643f50d9828d0e
Score10/10-
Quasar Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-