General
-
Target
payload.dll.exe
-
Size
45KB
-
Sample
230104-a73cbsgf7z
-
MD5
bfb1dcba649431a822b426c8830f2d03
-
SHA1
731a34c0cc84da650b730b4b14912ccad42f7685
-
SHA256
a71286ed9bc67a7bc404b462229db4cb869d36b84f41bfbc36a9227759ed434c
-
SHA512
fd2e88ff79b8393ff96a9f7ee0c96bcfd24c31cd0a186548918ed42f3990e193059512e768117b95832d722c1194c06030959b80a5e16f37ce3e453add3ba809
-
SSDEEP
768:wu/JRToSkobbWUnWCimo2qBrKjGKG6PIyzjbFgX3iAFXtv9nyb2UpfSBDZ6x:wu/JRT3T82MKYDy3bCXSOXtvN0dtsd6x
Behavioral task
behavioral1
Sample
payload.dll.exe
Resource
win7-20220812-en
Malware Config
Extracted
asyncrat
0.5.7B
TRY
1bxb.ddns.net:6606
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
https://elevateworkforce.com/.END.txt
Extracted
quasar
1.3.0.0
BTC
newqs.ddns.net:6666
QSR_MUTEX_yXXdA121x1YpxYg8uW
-
encryption_key
HFwfuOKEk3Fb6O6wDQ4B
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
payload.dll.exe
-
Size
45KB
-
MD5
bfb1dcba649431a822b426c8830f2d03
-
SHA1
731a34c0cc84da650b730b4b14912ccad42f7685
-
SHA256
a71286ed9bc67a7bc404b462229db4cb869d36b84f41bfbc36a9227759ed434c
-
SHA512
fd2e88ff79b8393ff96a9f7ee0c96bcfd24c31cd0a186548918ed42f3990e193059512e768117b95832d722c1194c06030959b80a5e16f37ce3e453add3ba809
-
SSDEEP
768:wu/JRToSkobbWUnWCimo2qBrKjGKG6PIyzjbFgX3iAFXtv9nyb2UpfSBDZ6x:wu/JRT3T82MKYDy3bCXSOXtvN0dtsd6x
-
Quasar payload
-
Async RAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-