General
-
Target
4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
-
Size
23KB
-
Sample
220516-ymcsyahecp
-
MD5
f6a89138844ae967a364d21960ecf30d
-
SHA1
49fedb666276b477e636e493be47d1011fddbf06
-
SHA256
4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df
-
SHA512
af81ed3093e5a46fad90efc073ea353bf3a192aa21081f2811d54cae2b8aaaaebf7e351f06f1d1dad22fef68ac5dc326333bdaec1ac0958fe716c111bfd25a30
Static task
static1
Behavioral task
behavioral1
Sample
4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
Resource
win7-20220414-en
Malware Config
Extracted
amadey
3.08
190.123.44.138/Qbv2ff03/index.php
Extracted
quasar
2.8.0.1
Malek
54.237.250.208:5553
COjIFE2SxD895kMBY2
-
encryption_key
1Xdt7BW8AuSSiRQFMe7U
-
install_name
Notepad.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Notepad
- subdirectory
Targets
-
-
Target
4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df.exe
-
Size
23KB
-
MD5
f6a89138844ae967a364d21960ecf30d
-
SHA1
49fedb666276b477e636e493be47d1011fddbf06
-
SHA256
4c53c592ba9ac00d3a729b34c3f1847d4f2fc26174bda2eaa1cff69d16b7e4df
-
SHA512
af81ed3093e5a46fad90efc073ea353bf3a192aa21081f2811d54cae2b8aaaaebf7e351f06f1d1dad22fef68ac5dc326333bdaec1ac0958fe716c111bfd25a30
-
Quasar Payload
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-