General
-
Target
Defender.exe
-
Size
1.3MB
-
Sample
220523-xxc11scgd3
-
MD5
6cc14968ad421ec8a585a0ae5083feb5
-
SHA1
fda63e3b59a4c7db0b36d1021c555f8176620970
-
SHA256
127c0abe14197e0930039c56034a86fb8efcd8f4bf882afd07ee1165d7a64c04
-
SHA512
7c82183dccd92a64fac5b74705d3b05bd69250f53d169cd288e97b5dd0307ba9c5c953798a09d083e74b14c22bcca93ac40a82afe6bb3f6580e7fba6bcfc8a1f
Static task
static1
Behavioral task
behavioral1
Sample
Defender.exe
Resource
win7-20220414-en
Malware Config
Extracted
quasar
1.3.0.0
Defender
Lyoni-55552.portmap.host:55552
QSR_MUTEX_L46QwMv1pXkGwq53wG
-
encryption_key
z5VmS7ld38qkM79BLAwN
-
install_name
Defender.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
Defender.exe
-
Size
1.3MB
-
MD5
6cc14968ad421ec8a585a0ae5083feb5
-
SHA1
fda63e3b59a4c7db0b36d1021c555f8176620970
-
SHA256
127c0abe14197e0930039c56034a86fb8efcd8f4bf882afd07ee1165d7a64c04
-
SHA512
7c82183dccd92a64fac5b74705d3b05bd69250f53d169cd288e97b5dd0307ba9c5c953798a09d083e74b14c22bcca93ac40a82afe6bb3f6580e7fba6bcfc8a1f
-
Quasar Payload
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-