General
-
Target
5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094
-
Size
9.0MB
-
Sample
220516-p7rm6aehfm
-
MD5
987bb8bcc92a914d249989e8cca3b2e9
-
SHA1
d09cfc64e1e7b22eb99fcc77c35d0286dfa74d26
-
SHA256
5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094
-
SHA512
23d5356cfbbb8ad8e43e9d1a038f2c30a226fbb43b98bd1062317550bdee099aef51d1ede79781e449f8349b02bc1e67d604342995e89f03d8e3c4be061ea0bd
Static task
static1
Behavioral task
behavioral1
Sample
5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe
Resource
win7-20220414-en
Malware Config
Extracted
quasar
1.3.0.0
Business
craft.ooguy.com:1981
GpDg1xgoq8qb9M6Jp6
-
encryption_key
bJJpHxbw80umglURXtYY
-
install_name
Client.exe
-
log_directory
4k
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094
-
Size
9.0MB
-
MD5
987bb8bcc92a914d249989e8cca3b2e9
-
SHA1
d09cfc64e1e7b22eb99fcc77c35d0286dfa74d26
-
SHA256
5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094
-
SHA512
23d5356cfbbb8ad8e43e9d1a038f2c30a226fbb43b98bd1062317550bdee099aef51d1ede79781e449f8349b02bc1e67d604342995e89f03d8e3c4be061ea0bd
-
Quasar Payload
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-