General
-
Target
398d98b126f3924b8618fdbf11d52aad45a74cb2b70f8efa38592b8cb1aaadb4
-
Size
144KB
-
Sample
230211-bwp4asaa3x
-
MD5
0cea18b50592fb0573908dd2654f1784
-
SHA1
2bbd52b164055b5e33bab2461c2aa3ca8c555c0d
-
SHA256
398d98b126f3924b8618fdbf11d52aad45a74cb2b70f8efa38592b8cb1aaadb4
-
SHA512
f717746632b394d9f7afbae4a88bca22d6b51d0c21f07798564d1ea7466a545a075237f44f1951355e49d697c751756ccdad19061b52cfcbefd196a50aa2a20e
-
SSDEEP
3072:TWT5ABV0BtcyOUXJTkPj/JitMh+byG25O6ZDuxKIgFDz7V:iTeBV03cyOUmrgWJO6ZSxKIgp7V
Static task
static1
Behavioral task
behavioral1
Sample
398d98b126f3924b8618fdbf11d52aad45a74cb2b70f8efa38592b8cb1aaadb4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
398d98b126f3924b8618fdbf11d52aad45a74cb2b70f8efa38592b8cb1aaadb4.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
quasar
1.4.0.0
Office04
spoofer.sytes.net:4782
Xt4orhlt3APwEULq83
-
encryption_key
lm9tqqmq7KePP7IJgOau
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Cortana
-
subdirectory
Microsoft
Targets
-
-
Target
398d98b126f3924b8618fdbf11d52aad45a74cb2b70f8efa38592b8cb1aaadb4
-
Size
144KB
-
MD5
0cea18b50592fb0573908dd2654f1784
-
SHA1
2bbd52b164055b5e33bab2461c2aa3ca8c555c0d
-
SHA256
398d98b126f3924b8618fdbf11d52aad45a74cb2b70f8efa38592b8cb1aaadb4
-
SHA512
f717746632b394d9f7afbae4a88bca22d6b51d0c21f07798564d1ea7466a545a075237f44f1951355e49d697c751756ccdad19061b52cfcbefd196a50aa2a20e
-
SSDEEP
3072:TWT5ABV0BtcyOUXJTkPj/JitMh+byG25O6ZDuxKIgFDz7V:iTeBV03cyOUmrgWJO6ZSxKIgp7V
Score10/10-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-