General
-
Target
Estado de cuenta.xls
-
Size
369KB
-
Sample
221127-vs5t5ahe7x
-
MD5
f5a8b72709235c68196a397174152660
-
SHA1
ab863a70358f150e3f0da53c330f7226d46037f4
-
SHA256
858963fa777ab0af515f7a81ff5ce29ffdda5361c67137cf0be35095bc7f1d9b
-
SHA512
f3b247cbec98ea8423358b589dde1fb5ea17b66efe169e68536cf901f9309e34c3f9883125fd153908150ae680292987b286ede90b461875ac0557ba368579f1
-
SSDEEP
6144:exEtjPOtioVjDGUU1qfDlavx+W2QnAbwYqzklWhUPheJl7Gpe8Kg2nOQcSRWQSSL:GwYqzklavDiknOfySloh16I
Behavioral task
behavioral1
Sample
Estado de cuenta.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Estado de cuenta.xls
Resource
win10v2004-20220812-en
Malware Config
Extracted
quasar
1.3.0.0
hop
dnuocc.com:64594
www.dnuocc.com:64594
QSR_MUTEX_gKkre5ge46OKHHYV4m
-
encryption_key
MWS1P9A8h60dOGbuRmwt
-
install_name
hvc.exe
-
log_directory
Logs
-
reconnect_delay
4000
-
startup_key
hrr
-
subdirectory
hik
Targets
-
-
Target
Estado de cuenta.xls
-
Size
369KB
-
MD5
f5a8b72709235c68196a397174152660
-
SHA1
ab863a70358f150e3f0da53c330f7226d46037f4
-
SHA256
858963fa777ab0af515f7a81ff5ce29ffdda5361c67137cf0be35095bc7f1d9b
-
SHA512
f3b247cbec98ea8423358b589dde1fb5ea17b66efe169e68536cf901f9309e34c3f9883125fd153908150ae680292987b286ede90b461875ac0557ba368579f1
-
SSDEEP
6144:exEtjPOtioVjDGUU1qfDlavx+W2QnAbwYqzklWhUPheJl7Gpe8Kg2nOQcSRWQSSL:GwYqzklavDiknOfySloh16I
Score10/10-
Quasar payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-