General
-
Target
7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786
-
Size
463KB
-
Sample
220725-e6jwtaehhl
-
MD5
fe410944a04368c81eef23bc3e519888
-
SHA1
e374403c0fd537d5af14d421bdaa902245a03d91
-
SHA256
7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786
-
SHA512
456d52068aca2ed3dab67e247524a818f77e2eb4a45296a6fcd9939b1770e042866ea09a0d751a503f16eafdf681bb7bebeee9a60409d61549a6838f39ac801e
Static task
static1
Behavioral task
behavioral1
Sample
7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786.exe
Resource
win7-20220718-en
Malware Config
Extracted
quasar
1.4.0.0
Office04
107.173.219.125:1714
NRgo8ArOed1VVkhIyd
-
encryption_key
XZyY0DaQV5kpii268lOQ
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Targets
-
-
Target
7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786
-
Size
463KB
-
MD5
fe410944a04368c81eef23bc3e519888
-
SHA1
e374403c0fd537d5af14d421bdaa902245a03d91
-
SHA256
7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786
-
SHA512
456d52068aca2ed3dab67e247524a818f77e2eb4a45296a6fcd9939b1770e042866ea09a0d751a503f16eafdf681bb7bebeee9a60409d61549a6838f39ac801e
-
Quasar payload
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2
-
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-