General
-
Target
1.xlsm
-
Size
42KB
-
Sample
230127-la1m1sbe5t
-
MD5
9567cc095b840a0156939bd14bd60d1b
-
SHA1
bc066fb87caf1ea2dd5e710210a40371f83945b5
-
SHA256
6dace0bce0139f7a90be79aaa73a97df7903fc31ddbed4ba16a7712e0d20a9d7
-
SHA512
434558080df7752ee37bf738f3e73abff7f1f19c43dd9f99f7d5623caedcb9fd70c798922798d0b00ee23bf8b824ce5c972602cb96f8bb7e9899e8bcd7554be6
-
SSDEEP
768:RZvptTvBssn/24oBIJYfTH+niSpFvDHz0v+nW6FFiKk/fGqtCAwgRy+nQ+1N:bvHvBTfoG1BnTz0v+hFFi3/eqE5gzQ+f
Behavioral task
behavioral1
Sample
1.xlsm
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
1.xlsm
Resource
win10v2004-20220812-en
Malware Config
Extracted
quasar
1.3.0.0
SUCCESS
41.185.97.216:4782
MUTEX_QAxMFzrXWG2cbIHPGK
-
encryption_key
JRUJdiIOmPJ5LlsFaVs9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
cmd
-
subdirectory
SubDir
Targets
-
-
Target
1.xlsm
-
Size
42KB
-
MD5
9567cc095b840a0156939bd14bd60d1b
-
SHA1
bc066fb87caf1ea2dd5e710210a40371f83945b5
-
SHA256
6dace0bce0139f7a90be79aaa73a97df7903fc31ddbed4ba16a7712e0d20a9d7
-
SHA512
434558080df7752ee37bf738f3e73abff7f1f19c43dd9f99f7d5623caedcb9fd70c798922798d0b00ee23bf8b824ce5c972602cb96f8bb7e9899e8bcd7554be6
-
SSDEEP
768:RZvptTvBssn/24oBIJYfTH+niSpFvDHz0v+nW6FFiKk/fGqtCAwgRy+nQ+1N:bvHvBTfoG1BnTz0v+hFFi3/eqE5gzQ+f
Score10/10-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-