General
-
Target
x.hta
-
Size
7KB
-
Sample
230207-ve6jhacg35
-
MD5
7a5fd24f27540d68f96bc72ed413f215
-
SHA1
de5df002413d73f6b4ccbf62ae41f83ecdef44d5
-
SHA256
bc74932f267e68a7a1bb770d7d50b001b61e1aeef0382b648e6142fb31acb3fe
-
SHA512
d3823e32fc7b6b10c4ab8627fa6753430ac19c2348d000f421707e84fb905b5a340114efefddfe12a4714a9a566d1ee71f55c0aeb0849c3b5182d8b633db3445
-
SSDEEP
96:tulyZc/zRqwwPQDNpTOyXCiLTqQpNZdkIMjwFaR6nwQlVzIEzKOPmi:y/z85oDNpT1LTqQjMDAfkEzKOPmi
Static task
static1
Behavioral task
behavioral1
Sample
x.hta
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
x.hta
Resource
win10v2004-20220812-en
Malware Config
Extracted
quasar
1.3.0.0
Office04
requiredhome.ru:3042
QSR_MUTEX_sDbanf3bIc7d4Or0Vk
-
encryption_key
lzkaGXX9PqnE3GnlX6CW
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
x.hta
-
Size
7KB
-
MD5
7a5fd24f27540d68f96bc72ed413f215
-
SHA1
de5df002413d73f6b4ccbf62ae41f83ecdef44d5
-
SHA256
bc74932f267e68a7a1bb770d7d50b001b61e1aeef0382b648e6142fb31acb3fe
-
SHA512
d3823e32fc7b6b10c4ab8627fa6753430ac19c2348d000f421707e84fb905b5a340114efefddfe12a4714a9a566d1ee71f55c0aeb0849c3b5182d8b633db3445
-
SSDEEP
96:tulyZc/zRqwwPQDNpTOyXCiLTqQpNZdkIMjwFaR6nwQlVzIEzKOPmi:y/z85oDNpT1LTqQjMDAfkEzKOPmi
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar payload
-
Blocklisted process makes network request
-
Registers COM server for autorun
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-