General
-
Target
pendientes.xls
-
Size
314KB
-
Sample
221121-sha6naeg75
-
MD5
3b4985250d19c9a0d4aa1e772b247075
-
SHA1
243077c6c342ebbfe77b43ae91da534f9b509f9a
-
SHA256
09051ade3d7c8bc6be358107b584eba08fdec0214cfd7c99e4b56f3e1e66d2b5
-
SHA512
8d665cbf861751de50a71e52c4d80baaaaaff15233ea1c4256d85b1d3842625d16287310dea09231b7c1b7915c2adf8e4df25c87a83a367b662b01263e1a2930
-
SSDEEP
6144:dxEtjPOtioVjDGUU1qfDlavx+W2QnAWIsfKxxOJCSynWqqVP4qk9U6gKfBfUzYKN:QanWqGPdURh2FMCd
Behavioral task
behavioral1
Sample
pendientes.xls
Resource
win7-20221111-en
Malware Config
Extracted
quasar
1.3.0.0
yop
dnuocc.com:64594
www.dnuocc.com:64594
QSR_MUTEX_OyCjWKeFudCMEKYeJX
-
encryption_key
In08tDaU6GKdLZ8HdsU1
-
install_name
yors.exe
-
log_directory
Logs
-
reconnect_delay
7000
-
startup_key
crdm
-
subdirectory
yilk
Targets
-
-
Target
pendientes.xls
-
Size
314KB
-
MD5
3b4985250d19c9a0d4aa1e772b247075
-
SHA1
243077c6c342ebbfe77b43ae91da534f9b509f9a
-
SHA256
09051ade3d7c8bc6be358107b584eba08fdec0214cfd7c99e4b56f3e1e66d2b5
-
SHA512
8d665cbf861751de50a71e52c4d80baaaaaff15233ea1c4256d85b1d3842625d16287310dea09231b7c1b7915c2adf8e4df25c87a83a367b662b01263e1a2930
-
SSDEEP
6144:dxEtjPOtioVjDGUU1qfDlavx+W2QnAWIsfKxxOJCSynWqqVP4qk9U6gKfBfUzYKN:QanWqGPdURh2FMCd
-
Quasar payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-