General
-
Target
6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db
-
Size
2.2MB
-
Sample
220520-3gcm7sghb5
-
MD5
faa3ca0d0141f9fe88188504bc3bac89
-
SHA1
edd03d0de17de2caef384daf792118cfdefc0fa8
-
SHA256
6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db
-
SHA512
b5693333a3ae10dbf5707927d85ea8e96fbd668b822bd9a337b13df374957720db9c03e4d801d75244902f29a6bbb7dc882647f45fcd5ccf8d8d496307b85922
Static task
static1
Behavioral task
behavioral1
Sample
6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
Resource
win7-20220414-en
Malware Config
Extracted
quasar
1.4.0.0
AlekFudd
52.188.202.106:8888
9QxkaRC5yCiT4nYveU
-
encryption_key
p22ObTAqvAaz7xZDWYTK
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Malwarebytes Corp.
-
subdirectory
SubDir
Targets
-
-
Target
6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db
-
Size
2.2MB
-
MD5
faa3ca0d0141f9fe88188504bc3bac89
-
SHA1
edd03d0de17de2caef384daf792118cfdefc0fa8
-
SHA256
6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db
-
SHA512
b5693333a3ae10dbf5707927d85ea8e96fbd668b822bd9a337b13df374957720db9c03e4d801d75244902f29a6bbb7dc882647f45fcd5ccf8d8d496307b85922
-
Quasar Payload
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-