General
-
Target
f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827
-
Size
8.0MB
-
Sample
220520-d65ylsahan
-
MD5
003663017d3ef845190636d56c4477fb
-
SHA1
fc8967e75ea99849ee703c262df58301933a89d7
-
SHA256
f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827
-
SHA512
15ebd16f8f64fe0a57a1bf819653817363a5bbcc665839e4f5dd0819204f502009bda12e938d3cf8f368c84a0b26b4a892f2c9f5fe9546f97fc80ab937c306b1
Static task
static1
Behavioral task
behavioral1
Sample
f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827.exe
Resource
win7-20220414-en
Malware Config
Extracted
quasar
1.3.0.0
trade
wrz.ddns.net:5700
QSR_MUTEX_HQ4Y5Dn1t3ivwyhc79
-
encryption_key
jlIbt3DTqIrhsELlJ19e
-
install_name
swctlsrv.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
microsoft_update_tool
-
subdirectory
SubDir
Targets
-
-
Target
f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827
-
Size
8.0MB
-
MD5
003663017d3ef845190636d56c4477fb
-
SHA1
fc8967e75ea99849ee703c262df58301933a89d7
-
SHA256
f92a19e7f5b0235930f036e99d938d443e513cf8c3ae8c552589dfb31f11e827
-
SHA512
15ebd16f8f64fe0a57a1bf819653817363a5bbcc665839e4f5dd0819204f502009bda12e938d3cf8f368c84a0b26b4a892f2c9f5fe9546f97fc80ab937c306b1
-
Quasar Payload
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Modifies file permissions
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-