General
-
Target
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
-
Size
349KB
-
Sample
220725-eatq5sdecr
-
MD5
94cb4509fbc7d4a000a35094532b2dc6
-
SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39
-
SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
-
SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3
Behavioral task
behavioral1
Sample
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe
Resource
win7-20220718-en
Malware Config
Extracted
quasar
1.3.0.0
Matei
getrektscrub.hopto.org:4782
QSR_MUTEX_KkiFVxzP7AThmUYEE7
-
encryption_key
g4oiMoBrx37SHLCg4wcA
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Targets
-
-
Target
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
-
Size
349KB
-
MD5
94cb4509fbc7d4a000a35094532b2dc6
-
SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39
-
SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
-
SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3
-
Quasar payload
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2
-
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-