General
-
Target
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0
-
Size
411KB
-
Sample
220524-s9e9pacbfq
-
MD5
2adea70fccf261c8c99d87be94dff75b
-
SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623
-
SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0
-
SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487
Static task
static1
Behavioral task
behavioral1
Sample
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe
Resource
win7-20220414-en
Malware Config
Extracted
quasar
1.4.0.0
BoT
deepfred420.ddns.net:9064
GonbH7yXnux3KU6CkF
-
encryption_key
ctcKPuPY3bRDHuYmzlto
-
install_name
Explorer.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Explorer
-
subdirectory
WServices
Targets
-
-
Target
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0
-
Size
411KB
-
MD5
2adea70fccf261c8c99d87be94dff75b
-
SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623
-
SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0
-
SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487
-
Quasar Payload
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of SetThreadContext
-