General
-
Target
dac30ab400ec6be2daa29718ea6d0a3e.exe
-
Size
867KB
-
Sample
221015-g3q7tsfcfm
-
MD5
dac30ab400ec6be2daa29718ea6d0a3e
-
SHA1
06320ebc648623885645657fd2a72a728f2441cd
-
SHA256
93361aea837c73c75f9067700572262e69d1cfbfa6634e7ea8f249701e1fdebb
-
SHA512
67f360d49625822199c133981c4077d88d9ec2347386858f33d08d6b6f37c15af0c56cf9772e0fb819072ab4b63b13eb334237ccd727ce91cad9b68ab47ec58c
-
SSDEEP
12288:3ARp0gFW4q6AD9/Gz8hQOFPA/OcMowPzQvEXpqCctQHNM:2igFW4qbx/GY7Y/jw7tICct4a
Static task
static1
Behavioral task
behavioral1
Sample
dac30ab400ec6be2daa29718ea6d0a3e.exe
Resource
win7-20220812-en
Malware Config
Extracted
quasar
2.1.0.0
asdf
checkme12.freeddns.org:1604
VNM_MUTEX_yidaALoSEROfTPWHwX
-
encryption_key
TbfVFQWqb0uiZoBjJ9E9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
UPX
Targets
-
-
Target
dac30ab400ec6be2daa29718ea6d0a3e.exe
-
Size
867KB
-
MD5
dac30ab400ec6be2daa29718ea6d0a3e
-
SHA1
06320ebc648623885645657fd2a72a728f2441cd
-
SHA256
93361aea837c73c75f9067700572262e69d1cfbfa6634e7ea8f249701e1fdebb
-
SHA512
67f360d49625822199c133981c4077d88d9ec2347386858f33d08d6b6f37c15af0c56cf9772e0fb819072ab4b63b13eb334237ccd727ce91cad9b68ab47ec58c
-
SSDEEP
12288:3ARp0gFW4q6AD9/Gz8hQOFPA/OcMowPzQvEXpqCctQHNM:2igFW4qbx/GY7Y/jw7tICct4a
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar payload
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-