General
-
Target
fd9cbccbd2803786c5ea2bf54b22d693.exe
-
Size
1.0MB
-
Sample
221124-e1dgvacb5t
-
MD5
fd9cbccbd2803786c5ea2bf54b22d693
-
SHA1
97b675207f5679503f89096e7ae99b38b1bea382
-
SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7
-
SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1
-
SSDEEP
24576:1LY5kMJDyGouUqg75HVDBvdJ9x5LESqRel+kvujSZGp:x4kMJDyGouUqg75HVDBvdzESqRelDvuc
Behavioral task
behavioral1
Sample
fd9cbccbd2803786c5ea2bf54b22d693.exe
Resource
win7-20221111-en
Malware Config
Extracted
quasar
2.7.0.0
1877
overthinker1877.duckdns.org:4545
xiBqon3YI4gHicsPTt
-
encryption_key
IshCdNN3oYnjATmMydkq
-
install_name
1877.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
Targets
-
-
Target
fd9cbccbd2803786c5ea2bf54b22d693.exe
-
Size
1.0MB
-
MD5
fd9cbccbd2803786c5ea2bf54b22d693
-
SHA1
97b675207f5679503f89096e7ae99b38b1bea382
-
SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7
-
SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1
-
SSDEEP
24576:1LY5kMJDyGouUqg75HVDBvdJ9x5LESqRel+kvujSZGp:x4kMJDyGouUqg75HVDBvdzESqRelDvuc
-
Quasar payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-