General
-
Target
TBAG2.exe
-
Size
163KB
-
Sample
220523-v5jseshbh3
-
MD5
7f2a753436c357cf86cefee430626e09
-
SHA1
67f6f4cc1f66b7300e9692046a049efeede32dc1
-
SHA256
35f13d8f063f086e5ef1cff022a0f1bb3daf65ed7163ec7854cc9b3c8bf46c1d
-
SHA512
0e58b52adca2961b69f5e53b3f5d705b20131723f5c1244d0103a66a40616757693cf992384c0f61ba5e9f2c205ebc97a93791167cf6ba95d7280c10208403e4
Static task
static1
Behavioral task
behavioral1
Sample
TBAG2.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
quasar
1.4.0
Someone
192.168.2.114:4782
33bbb393-2876-451f-99b3-219386c5c0e9
-
encryption_key
2E5172990D74D1F134C8172466E0375E463B76FD
-
install_name
winmanager.exe
-
log_directory
properties
-
reconnect_delay
3000
-
startup_key
WinManager
-
subdirectory
Windows Manager
Targets
-
-
Target
TBAG2.exe
-
Size
163KB
-
MD5
7f2a753436c357cf86cefee430626e09
-
SHA1
67f6f4cc1f66b7300e9692046a049efeede32dc1
-
SHA256
35f13d8f063f086e5ef1cff022a0f1bb3daf65ed7163ec7854cc9b3c8bf46c1d
-
SHA512
0e58b52adca2961b69f5e53b3f5d705b20131723f5c1244d0103a66a40616757693cf992384c0f61ba5e9f2c205ebc97a93791167cf6ba95d7280c10208403e4
-
Quasar Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-