General
-
Target
Recrypted.pif
-
Size
2.9MB
-
Sample
230309-jn2q5abb93
-
MD5
68a23c2fc62bddad0a2c6cf36003577b
-
SHA1
67a19bf734520933adfa28afc017c3af1d6a3d5b
-
SHA256
7a6db8aecc2376ec7dfc50085757841523fb69135e364b70c7319bf7a39209d7
-
SHA512
0386671ee83c0825f80a0c95b4e21eb23054878546aff5d8ef63a3bcc6a32c53a61397009aee8e8c5fc171b1ed0e9b69a31111eb1b860e1ff67264fcac806cef
-
SSDEEP
24576:plubLwtFDS7FYNYD7264xnRhc/LSXxH227hqRCeFcOziFJLUfdKTgWA22222222:gZ7h4xnRhcGXxHxOqdq1pup
Static task
static1
Behavioral task
behavioral1
Sample
Recrypted.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Recrypted.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
quasar
1.3.0.0
SUCCESS
41.185.97.216:4782
MUTEX_QAxMFzrXWG2cbIHPGK
-
encryption_key
4DwUV8AnxPgmXSMeThKb
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
cmd
-
subdirectory
SubDir
Targets
-
-
Target
Recrypted.pif
-
Size
2.9MB
-
MD5
68a23c2fc62bddad0a2c6cf36003577b
-
SHA1
67a19bf734520933adfa28afc017c3af1d6a3d5b
-
SHA256
7a6db8aecc2376ec7dfc50085757841523fb69135e364b70c7319bf7a39209d7
-
SHA512
0386671ee83c0825f80a0c95b4e21eb23054878546aff5d8ef63a3bcc6a32c53a61397009aee8e8c5fc171b1ed0e9b69a31111eb1b860e1ff67264fcac806cef
-
SSDEEP
24576:plubLwtFDS7FYNYD7264xnRhc/LSXxH227hqRCeFcOziFJLUfdKTgWA22222222:gZ7h4xnRhcGXxHxOqdq1pup
Score10/10-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-