General
-
Target
cc2d0c3397041334b027bc4390544c06b1393732837b6e8ccc15569abadad5fc
-
Size
1.3MB
-
Sample
230129-r7lg9abe66
-
MD5
3991c789ed9ca51b56a2d87ade48cb35
-
SHA1
9ebeda70da12328ed412cb105861e06210b64b14
-
SHA256
cc2d0c3397041334b027bc4390544c06b1393732837b6e8ccc15569abadad5fc
-
SHA512
f117241d7f8993a182aece7ccaf8753bb33a4b206c5f5d72b2d140778b2e5a02cca409e2eabc0ab3bf96c7bc85309bfe1c5a691dc7a63edd4fb7a0b94fce822c
-
SSDEEP
12288:r6NSgL0KFOdisSPDeAS7pmcApQpQCtWV1fFxxO3XU3/KnJPOjTt1N70FeNP6Dj:WWK6ilM7TApQqVFCU3/KJ6rNGeNP6D
Static task
static1
Behavioral task
behavioral1
Sample
cc2d0c3397041334b027bc4390544c06b1393732837b6e8ccc15569abadad5fc.exe
Resource
win7-20220812-en
Malware Config
Extracted
quasar
1.3.0.0
Office04
51.83.153.85:5000
QSR_MUTEX_5uMaV9gOc4CzQqg9F2
-
encryption_key
tArX63HaWQRmB3XpAuu1
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
cc2d0c3397041334b027bc4390544c06b1393732837b6e8ccc15569abadad5fc
-
Size
1.3MB
-
MD5
3991c789ed9ca51b56a2d87ade48cb35
-
SHA1
9ebeda70da12328ed412cb105861e06210b64b14
-
SHA256
cc2d0c3397041334b027bc4390544c06b1393732837b6e8ccc15569abadad5fc
-
SHA512
f117241d7f8993a182aece7ccaf8753bb33a4b206c5f5d72b2d140778b2e5a02cca409e2eabc0ab3bf96c7bc85309bfe1c5a691dc7a63edd4fb7a0b94fce822c
-
SSDEEP
12288:r6NSgL0KFOdisSPDeAS7pmcApQpQCtWV1fFxxO3XU3/KnJPOjTt1N70FeNP6Dj:WWK6ilM7TApQqVFCU3/KJ6rNGeNP6D
-
Quasar payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-