General
-
Target
8b991be4706455f00586b345e836f27f8bc7c739a5e74090f425267f7e23230b
-
Size
11.3MB
-
Sample
230129-z8vrbaeg4z
-
MD5
9a7c6e9e4341ad806d89fd54dbc54106
-
SHA1
6f60af10602477f58a4882c35bf2195974f68659
-
SHA256
8b991be4706455f00586b345e836f27f8bc7c739a5e74090f425267f7e23230b
-
SHA512
ce92939c290d681d5dddb11bcd11f00a183a252f21bfbd8732993d6c35d74d82079173919bf450cbe0cb393ef3845015cafb0febca8fd104e39e78d497e2eba6
-
SSDEEP
196608:QYDB3GqvqSoKND8Pu6FCjl2NU1mWIBMBKsv7eGMCQZPSf2Wi2ejaBsfNTxLoS:hW8qCDe/YkOeiKZPSf2WiZbfNTx
Static task
static1
Behavioral task
behavioral1
Sample
8b991be4706455f00586b345e836f27f8bc7c739a5e74090f425267f7e23230b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8b991be4706455f00586b345e836f27f8bc7c739a5e74090f425267f7e23230b.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
quasar
2.1.0.0
svchost
brawny-seat.auto.playit.gg:43523
VNM_MUTEX_pXcIZtjIcgUFvGjb4Y
-
encryption_key
g9s1kRSzQnDiqkRUUASg
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Targets
-
-
Target
8b991be4706455f00586b345e836f27f8bc7c739a5e74090f425267f7e23230b
-
Size
11.3MB
-
MD5
9a7c6e9e4341ad806d89fd54dbc54106
-
SHA1
6f60af10602477f58a4882c35bf2195974f68659
-
SHA256
8b991be4706455f00586b345e836f27f8bc7c739a5e74090f425267f7e23230b
-
SHA512
ce92939c290d681d5dddb11bcd11f00a183a252f21bfbd8732993d6c35d74d82079173919bf450cbe0cb393ef3845015cafb0febca8fd104e39e78d497e2eba6
-
SSDEEP
196608:QYDB3GqvqSoKND8Pu6FCjl2NU1mWIBMBKsv7eGMCQZPSf2Wi2ejaBsfNTxLoS:hW8qCDe/YkOeiKZPSf2WiZbfNTx
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar payload
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-