General
-
Target
75031e206522faaec5981f7cf411472b23ee0508748cd5c1453e390c6facffc8
-
Size
536KB
-
Sample
230119-lack7afe73
-
MD5
8c274dad5fd77b0692ca5c299ffb0d26
-
SHA1
5dda42516b5f3b65093dae4b55506e9c8813d745
-
SHA256
75031e206522faaec5981f7cf411472b23ee0508748cd5c1453e390c6facffc8
-
SHA512
370c2b2f4a2342b1d3281e2b8d2a426606e0e828b4342981bcd42b16f78dd071d419d646e3c94292cf11e287347b48f2231de91a21ff2856ea08e2085da335b9
-
SSDEEP
12288:k04p+yRb8qXeSCTQVpyQJPiDZOjVYXRTyyss:k0M8qXzCTQ/yQWRyq
Static task
static1
Malware Config
Extracted
quasar
2.1.0.0
Office01
172.81.131.113:4782
VNM_MUTEX_OFUOtYdHQP7Y7fAk1P
-
encryption_key
xufMEowCMSpdPlEx87tq
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
mvscs
-
subdirectory
SubDir
Targets
-
-
Target
75031e206522faaec5981f7cf411472b23ee0508748cd5c1453e390c6facffc8
-
Size
536KB
-
MD5
8c274dad5fd77b0692ca5c299ffb0d26
-
SHA1
5dda42516b5f3b65093dae4b55506e9c8813d745
-
SHA256
75031e206522faaec5981f7cf411472b23ee0508748cd5c1453e390c6facffc8
-
SHA512
370c2b2f4a2342b1d3281e2b8d2a426606e0e828b4342981bcd42b16f78dd071d419d646e3c94292cf11e287347b48f2231de91a21ff2856ea08e2085da335b9
-
SSDEEP
12288:k04p+yRb8qXeSCTQVpyQJPiDZOjVYXRTyyss:k0M8qXzCTQ/yQWRyq
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-