General
-
Target
Odeme.exe
-
Size
1.8MB
-
Sample
221110-llf3raaehm
-
MD5
e40f64fd383df33b756de97b76508dc4
-
SHA1
8ea35ba8262b532748633d555ef1a5b5fb219562
-
SHA256
408c78bbd01630d88293c29b2dd137277d76cfb8c34dfc3de52e3f70f92d0d38
-
SHA512
cccbbb34e768cab2b4ffeede69536b068e60789738a74f2b6fcc3628ba0b6e89d4b3d2dbc3400e33258505fddbbcefcc02a9eb41acea0822c175dc7a16f17b2f
-
SSDEEP
24576:bGHCm8uPdJdbmQGE6GnkKsTgV7OlsUpQpqmjVxMebNVzNFm0TSG:auWBiEHs8VGs0Qsmpyeb32G
Static task
static1
Behavioral task
behavioral1
Sample
Odeme.exe
Resource
win7-20220812-en
Malware Config
Extracted
quasar
1.3.0.0
top
dnuocc.com:64594
www.dnuocc.com:64594
QSR_MUTEX_NKzsG6279pND1MmPDw
-
encryption_key
6c7zzdS2IXrGaCb9wrMU
-
install_name
tors.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
tdm
-
subdirectory
tilk
Targets
-
-
Target
Odeme.exe
-
Size
1.8MB
-
MD5
e40f64fd383df33b756de97b76508dc4
-
SHA1
8ea35ba8262b532748633d555ef1a5b5fb219562
-
SHA256
408c78bbd01630d88293c29b2dd137277d76cfb8c34dfc3de52e3f70f92d0d38
-
SHA512
cccbbb34e768cab2b4ffeede69536b068e60789738a74f2b6fcc3628ba0b6e89d4b3d2dbc3400e33258505fddbbcefcc02a9eb41acea0822c175dc7a16f17b2f
-
SSDEEP
24576:bGHCm8uPdJdbmQGE6GnkKsTgV7OlsUpQpqmjVxMebNVzNFm0TSG:auWBiEHs8VGs0Qsmpyeb32G
-
Quasar payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-