General
-
Target
Inv_39155_from_NITRALIFE_SOUTHERN_AFRICA_PTY_LTD_4420.xlsm
-
Size
42KB
-
Sample
230309-kgfqraad2t
-
MD5
edef1e97fcca56228c1956db6b514f55
-
SHA1
00d1bb1cf96aee9a21508b23f6ac113153131b1c
-
SHA256
99a2af2b1d39d3ca267095cc733dd5e285b40b9c6b1709d34dbb213387c8df93
-
SHA512
ba718485a68b2a9f5c134e186309dae1d169c22fcc15a4d028121df564fd64a9805e3d31a7edf82279b371c883721dc4d8accc2a3fe02ab3b841cd184b7aa236
-
SSDEEP
768:WrvDK4vwssnjS7zWl2BIJYfTH+niSpwvDHvDv+nWfFFiKk/f1qtfHF7RT+nsFf:ivXvwTjSul2G1BoTvDv+0FFi3/dqJl7Z
Behavioral task
behavioral1
Sample
Inv_39155_from_NITRALIFE_SOUTHERN_AFRICA_PTY_LTD_4420.xlsm
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Inv_39155_from_NITRALIFE_SOUTHERN_AFRICA_PTY_LTD_4420.xlsm
Resource
win10v2004-20230220-en
Malware Config
Extracted
quasar
1.3.0.0
SUCCESS
41.185.97.216:4782
MUTEX_QAxMFzrXWG2cbIHPGK
-
encryption_key
4DwUV8AnxPgmXSMeThKb
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
cmd
-
subdirectory
SubDir
Targets
-
-
Target
Inv_39155_from_NITRALIFE_SOUTHERN_AFRICA_PTY_LTD_4420.xlsm
-
Size
42KB
-
MD5
edef1e97fcca56228c1956db6b514f55
-
SHA1
00d1bb1cf96aee9a21508b23f6ac113153131b1c
-
SHA256
99a2af2b1d39d3ca267095cc733dd5e285b40b9c6b1709d34dbb213387c8df93
-
SHA512
ba718485a68b2a9f5c134e186309dae1d169c22fcc15a4d028121df564fd64a9805e3d31a7edf82279b371c883721dc4d8accc2a3fe02ab3b841cd184b7aa236
-
SSDEEP
768:WrvDK4vwssnjS7zWl2BIJYfTH+niSpwvDHvDv+nWfFFiKk/f1qtfHF7RT+nsFf:ivXvwTjSul2G1BoTvDv+0FFi3/dqJl7Z
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-