General
-
Target
Client-builtduk.exe
-
Size
502KB
-
Sample
230217-syjgzagb28
-
MD5
e16470596e795b2d671d0587a50f0a39
-
SHA1
222d454c14f8347f2b05986b9d7e279f53282820
-
SHA256
f6f96c1d38b368472b28b9ffb23b099de90f04bfec19ca24224b215d86c401af
-
SHA512
04f0c3cd6fb20b200831ea8cb3659eb009c008da5ac4e404f30b5d1881c434e1bf2a03854a7770d0ac7a03d3b7210aa5b14af9d748d2b290c153bf677ea02bf8
-
SSDEEP
6144:DTEgdc0YCXc2rao+RGmTnIEdm/9KI0/QpocExeb8F9oLdHpcTR3v:DTEgdfYYramx01hZiFpcdv
Behavioral task
behavioral1
Sample
Client-builtduk.exe
Resource
win7-20220901-en
Malware Config
Extracted
quasar
1.4.0
Office04
mingrelian.ddns.net:5552
127.0.0.1:5552
mingrelian.duckdns.org:5552
ac295147-615a-4c75-baa4-17de592dbddd
-
encryption_key
8D503852994A4016F90481B3C6305365B2B155CF
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
Client-builtduk.exe
-
Size
502KB
-
MD5
e16470596e795b2d671d0587a50f0a39
-
SHA1
222d454c14f8347f2b05986b9d7e279f53282820
-
SHA256
f6f96c1d38b368472b28b9ffb23b099de90f04bfec19ca24224b215d86c401af
-
SHA512
04f0c3cd6fb20b200831ea8cb3659eb009c008da5ac4e404f30b5d1881c434e1bf2a03854a7770d0ac7a03d3b7210aa5b14af9d748d2b290c153bf677ea02bf8
-
SSDEEP
6144:DTEgdc0YCXc2rao+RGmTnIEdm/9KI0/QpocExeb8F9oLdHpcTR3v:DTEgdfYYramx01hZiFpcdv
-
Quasar payload
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-