General
-
Target
3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a
-
Size
628KB
-
Sample
220525-cpcp3afhh6
-
MD5
2ca449f58a5f5c95541640a52e611180
-
SHA1
3159a573bf68b83c2f19c9d0c738f8995a8d9147
-
SHA256
3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a
-
SHA512
9674de07081da790be80096e7075dc69defcd6fc3fbc8688eb745087111c84afc8917034d4d07c7aa86583833d4f43e98d5a127d08f2dbce273431308b65c091
Static task
static1
Behavioral task
behavioral1
Sample
3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a.exe
Resource
win7-20220414-en
Malware Config
Extracted
quasar
1.3.0.0
Office04
118.208.43.110:9991
118.208.43.110:9992
118.208.43.110:9993
118.208.43.110:9994
118.208.43.110:9995
118.208.43.110:10000
118.208.43.110:9000
QSR_MUTEX_wm8imRtp10eDcwBwM1
-
encryption_key
CLr3aJXqYhM5uP8HVkUg
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a
-
Size
628KB
-
MD5
2ca449f58a5f5c95541640a52e611180
-
SHA1
3159a573bf68b83c2f19c9d0c738f8995a8d9147
-
SHA256
3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a
-
SHA512
9674de07081da790be80096e7075dc69defcd6fc3fbc8688eb745087111c84afc8917034d4d07c7aa86583833d4f43e98d5a127d08f2dbce273431308b65c091
-
Quasar Payload
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Looks for VirtualBox Guest Additions in registry
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-