General
-
Target
Credit note FEB23.exe
-
Size
956KB
-
Sample
230216-khk2vsgd6s
-
MD5
d0620b6592435383246986535d5bd90c
-
SHA1
c7bfdd4e3d77ae0417f8dfa84af98db180b89e31
-
SHA256
274e032cefa381cff9cdddba5463d2f1a14c9e64c3ae8e41b4b960b8e3f95ac5
-
SHA512
620511215cbfdb34c05ced3722588ab25eff93cd64bd377c3882ea6014593d73954657d58b6c1573354abad89efd1333e2b2b4eb1b44214f18b7c3595b671c27
-
SSDEEP
24576:QAzssFINDnpNOlAe/2wPdVF5iMZagA39+vD8+qiS0DCtIT:QGd/5iMZagAuQ+s
Static task
static1
Behavioral task
behavioral1
Sample
Credit note FEB23.exe
Resource
win7-20220812-en
Malware Config
Extracted
quasar
1.4.0
Office04
37.120.210.219:9771
cdc62cc3-297d-4baa-b514-fcd69f23b760
-
encryption_key
F6CA1DFF4431556F5D775676A4005D1B1ABD97F4
-
install_name
Client.exe
-
log_directory
quasar
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
Credit note FEB23.exe
-
Size
956KB
-
MD5
d0620b6592435383246986535d5bd90c
-
SHA1
c7bfdd4e3d77ae0417f8dfa84af98db180b89e31
-
SHA256
274e032cefa381cff9cdddba5463d2f1a14c9e64c3ae8e41b4b960b8e3f95ac5
-
SHA512
620511215cbfdb34c05ced3722588ab25eff93cd64bd377c3882ea6014593d73954657d58b6c1573354abad89efd1333e2b2b4eb1b44214f18b7c3595b671c27
-
SSDEEP
24576:QAzssFINDnpNOlAe/2wPdVF5iMZagA39+vD8+qiS0DCtIT:QGd/5iMZagAuQ+s
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-