General
-
Target
Client-built.exe
-
Size
502KB
-
Sample
230225-wnf6msdg41
-
MD5
a70eb80f62175945e7a830f4966b1108
-
SHA1
b6d9ff4ca8f836c60c643e47fd3a22b96d600cac
-
SHA256
3651d825403a98583a3f9622d221f0dece996d6f5e3614114ad2d2625144216b
-
SHA512
883030c34b3e281cec19a7734e9f484c3fd4f9fa7b7f109e01c5750404a6d2856c3d40cdb4072682ab76818940bd075990b1cf054b60f467ee0102c907453856
-
SSDEEP
6144:BTEgdc0YtX7IxUpGREW9nzXxm67rkW5Etqq+yw4fUcEpOb8F9i6v3aWvtoTcTR3i:BTEgdfY2xUQzh4n4Tyw/5pT3aQGcd7G
Malware Config
Extracted
quasar
1.4.0
Office04
194.ip.ply.gg:54552
716c625d-c482-416b-b1b9-99229108bb5a
-
encryption_key
B9045A156EB992A12FC06BA7C5161D3D36F95066
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
ss
-
subdirectory
SubDir
Targets
-
-
Target
Client-built.exe
-
Size
502KB
-
MD5
a70eb80f62175945e7a830f4966b1108
-
SHA1
b6d9ff4ca8f836c60c643e47fd3a22b96d600cac
-
SHA256
3651d825403a98583a3f9622d221f0dece996d6f5e3614114ad2d2625144216b
-
SHA512
883030c34b3e281cec19a7734e9f484c3fd4f9fa7b7f109e01c5750404a6d2856c3d40cdb4072682ab76818940bd075990b1cf054b60f467ee0102c907453856
-
SSDEEP
6144:BTEgdc0YtX7IxUpGREW9nzXxm67rkW5Etqq+yw4fUcEpOb8F9i6v3aWvtoTcTR3i:BTEgdfY2xUQzh4n4Tyw/5pT3aQGcd7G
-
Quasar payload
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-