General
-
Target
983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
-
Size
21KB
-
Sample
220518-q33qasdbgn
-
MD5
d5d6d152edeeb1a13020514aceaad436
-
SHA1
1909b7fd2f20c4c2e4ecd8c186863f0ca90867d9
-
SHA256
983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26
-
SHA512
1e398c67483e9cab11e99af590c59274d5f6c23c5a69c88a019052074890b69c8148728fd880ecd7f91ad53f310a061b86154d985948ccc12f33640a0f23b6d0
Static task
static1
Behavioral task
behavioral1
Sample
983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
Resource
win7-20220414-en
Malware Config
Extracted
amadey
3.08
190.123.44.138/Qbv2ff03/index.php
Extracted
quasar
2.8.0.1
Malek
54.237.250.208:5553
COjIFE2SxD895kMBY2
-
encryption_key
1Xdt7BW8AuSSiRQFMe7U
-
install_name
Notepad.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Notepad
- subdirectory
Targets
-
-
Target
983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
-
Size
21KB
-
MD5
d5d6d152edeeb1a13020514aceaad436
-
SHA1
1909b7fd2f20c4c2e4ecd8c186863f0ca90867d9
-
SHA256
983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26
-
SHA512
1e398c67483e9cab11e99af590c59274d5f6c23c5a69c88a019052074890b69c8148728fd880ecd7f91ad53f310a061b86154d985948ccc12f33640a0f23b6d0
-
Quasar Payload
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-