General
-
Target
svchost.exe
-
Size
502KB
-
Sample
230213-r5pf5adc7w
-
MD5
91889bc763dbb417e04b7055dad76017
-
SHA1
468ef6078b39aee737fdff011952cbaa0811a8f7
-
SHA256
7eafe295746a209dec85a32474b473bf4d61c843020f9d435c73c2bd9d67b1a3
-
SHA512
848828336b05f00d5b9cd8c6690e455c01a663eb1667ce9b3282f03ed766a5a1b5d9ae502d76c90b64fad4d4570164e16a1fd045b4fa39b77e022da0875f2393
-
SSDEEP
6144:hTEgdc0YrXAGbgiIN2RSBreBTAFQKmFLULcEcOb8F94SM01Lc6OcTR3C:hTEgdfYbbg7spdM026OcdC
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win7-20221111-en
Malware Config
Extracted
quasar
1.4.0
Office04
mingrelian.ddns.net:5552
ac295147-615a-4c75-baa4-17de592dbddd
-
encryption_key
8D503852994A4016F90481B3C6305365B2B155CF
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
svchost.exe
-
Size
502KB
-
MD5
91889bc763dbb417e04b7055dad76017
-
SHA1
468ef6078b39aee737fdff011952cbaa0811a8f7
-
SHA256
7eafe295746a209dec85a32474b473bf4d61c843020f9d435c73c2bd9d67b1a3
-
SHA512
848828336b05f00d5b9cd8c6690e455c01a663eb1667ce9b3282f03ed766a5a1b5d9ae502d76c90b64fad4d4570164e16a1fd045b4fa39b77e022da0875f2393
-
SSDEEP
6144:hTEgdc0YrXAGbgiIN2RSBreBTAFQKmFLULcEcOb8F94SM01Lc6OcTR3C:hTEgdfYbbg7spdM026OcdC
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-