General
-
Target
bf9b4cd5196c0a05a596bff8478e056558282f12812441edce4c1d06a596ca03
-
Size
5.9MB
-
Sample
230215-phwktabf82
-
MD5
d84ebbfcfb1727d11496c170591c7aa8
-
SHA1
41728e4334aca4b3f417ac9d06af146262500145
-
SHA256
bf9b4cd5196c0a05a596bff8478e056558282f12812441edce4c1d06a596ca03
-
SHA512
6f343bab1682d0874e797f8ef772f53d73a6e83d1165d36b1e178ba7f8f69952e5b471ff4bd7326d6ccc63eeee70d28fc8752a1f6a28a609ec2d0cf568695a11
-
SSDEEP
98304:nmOvccAZPL4N3WlkqL6w9twz+IaZ7AMjwEQ6PCK9WTN3SnUwZSk1nZh:mOvtAZj41WJ6pzqZjwT6p9ON3xwJZ
Static task
static1
Behavioral task
behavioral1
Sample
bf9b4cd5196c0a05a596bff8478e056558282f12812441edce4c1d06a596ca03.exe
Resource
win7-20221111-en
Malware Config
Extracted
quasar
1.4.0
4Drun
87.121.52.241:4000
565c0b54-8fec-4eb0-a932-429f55a0cc82
-
encryption_key
B000736BEBDF08FC1B6696200651882CF57E43E7
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
3dfx Startup
-
subdirectory
SubDir
Extracted
asyncrat
0.5.7B
Default
87.121.52.241:2000
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
3dfx.exe
-
install_folder
%AppData%
Targets
-
-
Target
bf9b4cd5196c0a05a596bff8478e056558282f12812441edce4c1d06a596ca03
-
Size
5.9MB
-
MD5
d84ebbfcfb1727d11496c170591c7aa8
-
SHA1
41728e4334aca4b3f417ac9d06af146262500145
-
SHA256
bf9b4cd5196c0a05a596bff8478e056558282f12812441edce4c1d06a596ca03
-
SHA512
6f343bab1682d0874e797f8ef772f53d73a6e83d1165d36b1e178ba7f8f69952e5b471ff4bd7326d6ccc63eeee70d28fc8752a1f6a28a609ec2d0cf568695a11
-
SSDEEP
98304:nmOvccAZPL4N3WlkqL6w9twz+IaZ7AMjwEQ6PCK9WTN3SnUwZSk1nZh:mOvtAZj41WJ6pzqZjwT6p9ON3xwJZ
-
Quasar payload
-
Async RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Possible privilege escalation attempt
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-