General
-
Target
f09f54a8c694a8b026051b90fd0f92040d952b75446af726de55522ef1e13dda.xls
-
Size
140KB
-
Sample
221203-c9gvhsgg37
-
MD5
784c8beac43a6f6de17a8f05299d528f
-
SHA1
636573702a1feec449e3e13e1366221e1baff96d
-
SHA256
f09f54a8c694a8b026051b90fd0f92040d952b75446af726de55522ef1e13dda
-
SHA512
af399f746e803c9f709a99c0430a8c7faca696fb59fbfde53f12e386fb9f116f8175b61835d86ed02bac26c535a903e88b4cb9add91ed6cedb9a5f8fad030de4
-
SSDEEP
3072:HrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAIWpnUXB7pqkCkGSjrU91z+M/7OmGie:LxEtjPOtioVjDGUU1qfDlavx+W2QnA1d
Behavioral task
behavioral1
Sample
f09f54a8c694a8b026051b90fd0f92040d952b75446af726de55522ef1e13dda.xls
Resource
win7-20220901-en
Malware Config
Extracted
quasar
1.3.0.0
voop
dnuocc.com:64594
www.dnuocc.com:64594
QSR_MUTEX_jVITO6bRbVmJHVOAi1
-
encryption_key
3yswT16VMWc6VjRIJeXD
-
install_name
vcv.exe
-
log_directory
Logs
-
reconnect_delay
30000
-
startup_key
vcr
-
subdirectory
vcv
Targets
-
-
Target
f09f54a8c694a8b026051b90fd0f92040d952b75446af726de55522ef1e13dda.xls
-
Size
140KB
-
MD5
784c8beac43a6f6de17a8f05299d528f
-
SHA1
636573702a1feec449e3e13e1366221e1baff96d
-
SHA256
f09f54a8c694a8b026051b90fd0f92040d952b75446af726de55522ef1e13dda
-
SHA512
af399f746e803c9f709a99c0430a8c7faca696fb59fbfde53f12e386fb9f116f8175b61835d86ed02bac26c535a903e88b4cb9add91ed6cedb9a5f8fad030de4
-
SSDEEP
3072:HrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAIWpnUXB7pqkCkGSjrU91z+M/7OmGie:LxEtjPOtioVjDGUU1qfDlavx+W2QnA1d
-
Quasar payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-