General
-
Target
573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd
-
Size
1.6MB
-
Sample
220725-ahs3csehgn
-
MD5
2c5dcf7821c1098be0c0fb0b9111b112
-
SHA1
0d034ed0671d6f90b3be6f92fc010ae533bdcd05
-
SHA256
573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd
-
SHA512
5e0b5f4d7f5731844e8d68743ff5092549481e93e083763dd7315eb214aa5750bf0e12ad4fe0c7f56f437bffd70a5e4886f7cb475170a69377f2631658d9987b
Behavioral task
behavioral1
Sample
573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
Resource
win7-20220718-en
Malware Config
Extracted
quasar
1.3.0.0
Mine New
manuel3.publicvm.com:1022
QSR_MUTEX_z2tvmEKtJhCWkEoFqb
-
encryption_key
lzO7ipRSIXeoGW0A0XSN
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
netwire
manuel3.publicvm.com:3366
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
KosdgdKb
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Targets
-
-
Target
573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd
-
Size
1.6MB
-
MD5
2c5dcf7821c1098be0c0fb0b9111b112
-
SHA1
0d034ed0671d6f90b3be6f92fc010ae533bdcd05
-
SHA256
573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd
-
SHA512
5e0b5f4d7f5731844e8d68743ff5092549481e93e083763dd7315eb214aa5750bf0e12ad4fe0c7f56f437bffd70a5e4886f7cb475170a69377f2631658d9987b
-
NetWire RAT payload
-
Quasar payload
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-