General
-
Target
3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a
-
Size
3.1MB
-
Sample
220520-3taz5scdcj
-
MD5
bee78b7c6bf3e0794fd5351b5a4ebeea
-
SHA1
19744fe4bb1a73c803f5c8e3f8c715f2e08ada9b
-
SHA256
3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a
-
SHA512
041cf0f734d316d34b5a7ec39eff1246a783c1864820af43df1ad8c5766af2fbbcaf816af48ef81e0924449159282751b385b2eeb3f3c404b5da6c4f674974d9
Static task
static1
Behavioral task
behavioral1
Sample
3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a.exe
Resource
win7-20220414-en
Malware Config
Extracted
quasar
1.3.0.0
Power
5.45.67.165:2874
QSR_MUTEX_lCaExbOzxDAtqtYVRp
-
encryption_key
d5QxWp96Drx5Tu8vGyyl
-
install_name
gottem.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Frengate
-
subdirectory
SubDir
Targets
-
-
Target
3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a
-
Size
3.1MB
-
MD5
bee78b7c6bf3e0794fd5351b5a4ebeea
-
SHA1
19744fe4bb1a73c803f5c8e3f8c715f2e08ada9b
-
SHA256
3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a
-
SHA512
041cf0f734d316d34b5a7ec39eff1246a783c1864820af43df1ad8c5766af2fbbcaf816af48ef81e0924449159282751b385b2eeb3f3c404b5da6c4f674974d9
-
Quasar Payload
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-