General
-
Target
6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62
-
Size
666KB
-
Sample
221130-wjxb3acc57
-
MD5
aab2ed3890b8b46618a12cdf36e5fdce
-
SHA1
b0b81e6b2198f5b0019012cfc7579190fb997d68
-
SHA256
6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62
-
SHA512
4c0c72d5c31aaa92295d66fa4819d7856ef447e6b1e4c50aca8eef44b23ad3a6dfb0f75550a3da0c0839ebcb968b74409b1e30e5304ed430cff909a3cd690e12
-
SSDEEP
12288:lnIs/2hGI1yDovUZznE6++jgb21HfHfY4qMuyYcYp00:is/2hGI1y2oE6+ggbCHfHflGZcY00
Behavioral task
behavioral1
Sample
6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
quasar
1.4.0
Office04
microsoftteams.ddns.net:4050
0c65e585-dc5d-4779-b45f-9df2f3f7e35b
-
encryption_key
CB63860CD5C1811A72AA09D0BD0099CDBDFD9DCC
-
install_name
Windows Security notification icon.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security notification icon
-
subdirectory
Windows Security
Targets
-
-
Target
6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62
-
Size
666KB
-
MD5
aab2ed3890b8b46618a12cdf36e5fdce
-
SHA1
b0b81e6b2198f5b0019012cfc7579190fb997d68
-
SHA256
6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62
-
SHA512
4c0c72d5c31aaa92295d66fa4819d7856ef447e6b1e4c50aca8eef44b23ad3a6dfb0f75550a3da0c0839ebcb968b74409b1e30e5304ed430cff909a3cd690e12
-
SSDEEP
12288:lnIs/2hGI1yDovUZznE6++jgb21HfHfY4qMuyYcYp00:is/2hGI1y2oE6+ggbCHfHflGZcY00
-
Quasar payload
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-