General
-
Target
kujik.exe
-
Size
32.9MB
-
Sample
230221-2erhxagh32
-
MD5
a96513026d7c3abdeb5f31abb91dc86f
-
SHA1
85a0327efaa990584591029f61ee9cb8d2eebd84
-
SHA256
c9f747866b3808056c29656c2ed8dc9c74364e09604fe77a1984bd1247605842
-
SHA512
d426a4437a12636c8abb833d870ded636cc4bc332a724558fc0773d856ff101099c28fa5bbe40bf46dfc91052b650fabe18c5988fbf322bac05cf1241f7f81ed
-
SSDEEP
786432:uhNBs1A4fLzRgQCwhcdiUOSqq+vcG9DQSEfrJ7VllwjEcBSZo/Ed0kVNZMTUo:uzQTL6xdiPSqq+v3Ef/llDc0Gy0kVNIZ
Static task
static1
Behavioral task
behavioral1
Sample
kujik.exe
Resource
win7-20230220-en
Malware Config
Extracted
quasar
1.4.0
kijuk
76t7hh-51153.portmap.host:51153
craciton.duckdns.org:7771
1cfe7ed6-9001-490c-9121-6234ae195f28
-
encryption_key
2C0C62BDD42E42BC77F98F8E1EE713B43F791267
-
install_name
SiHost64.exe
-
log_directory
MicrosoftWindows32
-
reconnect_delay
69
-
startup_key
Microsoft Helper
-
subdirectory
WindowsHTR
Targets
-
-
Target
kujik.exe
-
Size
32.9MB
-
MD5
a96513026d7c3abdeb5f31abb91dc86f
-
SHA1
85a0327efaa990584591029f61ee9cb8d2eebd84
-
SHA256
c9f747866b3808056c29656c2ed8dc9c74364e09604fe77a1984bd1247605842
-
SHA512
d426a4437a12636c8abb833d870ded636cc4bc332a724558fc0773d856ff101099c28fa5bbe40bf46dfc91052b650fabe18c5988fbf322bac05cf1241f7f81ed
-
SSDEEP
786432:uhNBs1A4fLzRgQCwhcdiUOSqq+vcG9DQSEfrJ7VllwjEcBSZo/Ed0kVNZMTUo:uzQTL6xdiPSqq+v3Ef/llDc0Gy0kVNIZ
-
Quasar payload
-
StormKitty payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-