General
-
Target
02f7467c0a07153c0c9fec745a96f819.exe
-
Size
347KB
-
Sample
230307-vp83daah87
-
MD5
02f7467c0a07153c0c9fec745a96f819
-
SHA1
1f3b662f4597a97182134c542718a09ac14dbe53
-
SHA256
00c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7
-
SHA512
13d8ce07b201b74a648319f6a9cb20761ea1be819b915aa5d6b5112dbb31f693e777cc800b529f12737945844d411e1c2d9614be11e129561017cb34738010a4
-
SSDEEP
6144:T7L+PQIshf4BnYow5U7b7rSMauoLQF1I89lA:3issWUnShLQF1I89lA
Behavioral task
behavioral1
Sample
02f7467c0a07153c0c9fec745a96f819.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
02f7467c0a07153c0c9fec745a96f819.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
quasar
1.3.0.0
---trens--
qassar1122.ddns.net:2007
QSR_MUTEX_MnRnXGbvBvn8Tkxj0A
-
encryption_key
i4DXiO929iCJdpvsIcV3
-
install_name
Update service.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
service update
-
subdirectory
microsofte
Extracted
darkcomet
office2010
darck111.ddns.net:2006
DCMIN_MUTEX-6C5K0B1
-
gencode
v30h5qiY2jCx
-
install
false
-
offline_keylogger
true
-
persistence
false
Targets
-
-
Target
02f7467c0a07153c0c9fec745a96f819.exe
-
Size
347KB
-
MD5
02f7467c0a07153c0c9fec745a96f819
-
SHA1
1f3b662f4597a97182134c542718a09ac14dbe53
-
SHA256
00c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7
-
SHA512
13d8ce07b201b74a648319f6a9cb20761ea1be819b915aa5d6b5112dbb31f693e777cc800b529f12737945844d411e1c2d9614be11e129561017cb34738010a4
-
SSDEEP
6144:T7L+PQIshf4BnYow5U7b7rSMauoLQF1I89lA:3issWUnShLQF1I89lA
-
Modifies WinLogon for persistence
-
Quasar payload
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-