General
-
Target
b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c
-
Size
630KB
-
Sample
221130-t9pnssge45
-
MD5
c45c3dbe62846a145d90077e4d64fe00
-
SHA1
a9413e2aadb3d0fbf0168666c93c10a74fddcd8a
-
SHA256
b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c
-
SHA512
e7dd8538f223b2484c87cba7e1239d2c3ab85790a9ab5e9a31dfd3f8959982a39edcad838cb6aa5afe9348a344100ef1bc00c79d3a31d862726bbcfb098991ad
-
SSDEEP
12288:2oF8GNlD5ZS/1WEJOAqRSEM3Sy21LVbK89elrrJ5:aGKIDAEQSy2TbKuKN
Static task
static1
Behavioral task
behavioral1
Sample
b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c.exe
Resource
win7-20221111-en
Malware Config
Extracted
quasar
2.1.0.0
ajith
23.105.131.178:7812
VNM_MUTEX_NdVd2sPSSqFdo7I35g
-
encryption_key
jyerms3KOWmt3C9DBFuq
-
install_name
Windows Defender Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
SubDir
Targets
-
-
Target
b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c
-
Size
630KB
-
MD5
c45c3dbe62846a145d90077e4d64fe00
-
SHA1
a9413e2aadb3d0fbf0168666c93c10a74fddcd8a
-
SHA256
b70af2ccc8fd78d0cb69aa34cdb17c61d5024055787a2ddb97051834d5d2561c
-
SHA512
e7dd8538f223b2484c87cba7e1239d2c3ab85790a9ab5e9a31dfd3f8959982a39edcad838cb6aa5afe9348a344100ef1bc00c79d3a31d862726bbcfb098991ad
-
SSDEEP
12288:2oF8GNlD5ZS/1WEJOAqRSEM3Sy21LVbK89elrrJ5:aGKIDAEQSy2TbKuKN
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-