General
-
Target
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
-
Size
348KB
-
Sample
220520-fh11vsdehq
-
MD5
be1958cb2bbcde1fa0ebbdc73a579fff
-
SHA1
d91235298ccc73a1712407db6ff7b83225e66c82
-
SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
-
SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f
Behavioral task
behavioral1
Sample
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe
Resource
win7-20220414-en
Malware Config
Extracted
quasar
1.3.0.0
INFECTED
mpapwpodllalw:4787
QSR_MUTEX_ZHiYRTyEwnDVythpPG
-
encryption_key
JJ24c9vhc2iN2AuqTdrZ
-
install_name
lclsrv.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
Microsoft SMB Filter 2.0
-
subdirectory
Windows
Targets
-
-
Target
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
-
Size
348KB
-
MD5
be1958cb2bbcde1fa0ebbdc73a579fff
-
SHA1
d91235298ccc73a1712407db6ff7b83225e66c82
-
SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
-
SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f
-
Quasar Payload
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-