General
-
Target
3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1
-
Size
393KB
-
Sample
220701-j1tlaabcbn
-
MD5
6a2c2b021b25da0f433c1224a6aa7931
-
SHA1
a0548551a6f59901c1ad587815d31967e7bf00d8
-
SHA256
3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1
-
SHA512
0d9b929159b5bc083b30aac612ed2553393bc5cdddc9f50dd5dfba6567ce658e8e67506b7e47ae125a107843846aa06bb4801a33cc06821332e2677000e557c8
Static task
static1
Behavioral task
behavioral1
Sample
3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe
Resource
win7-20220414-en
Malware Config
Extracted
quasar
1.4.0.0
CEO
don567678.ddns.net:1714
9norn25Q4wM4txx41r
-
encryption_key
ybVCqDzPNXriXCm0UUcE
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1
-
Size
393KB
-
MD5
6a2c2b021b25da0f433c1224a6aa7931
-
SHA1
a0548551a6f59901c1ad587815d31967e7bf00d8
-
SHA256
3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1
-
SHA512
0d9b929159b5bc083b30aac612ed2553393bc5cdddc9f50dd5dfba6567ce658e8e67506b7e47ae125a107843846aa06bb4801a33cc06821332e2677000e557c8
-
Quasar Payload
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-