General
-
Target
FenixCheatBETA.exe
-
Size
25.5MB
-
Sample
230315-ar2qvsce2v
-
MD5
4ffd42d26dc1f942be4154c18ce3be55
-
SHA1
44dfc8e59cbbdda58d03f81ef4ea57566f528858
-
SHA256
571ddfbe3251be2f3908505e755ebf70dab52fe6bf6cddf875991afa940efaab
-
SHA512
d50cfc6b488fb701c643e08a48a9e69af50ab7c6589f2911bb07abf411777d0fb34a136e91f19896b3da518e85c82f2c276c6baffecb3f8d20820a9e2ac6df54
-
SSDEEP
393216:erES87bfONTU7MEmKbOaVan4W2tlXXQ1K3BflIYGloxEHJy9SN/AjMQ2bgQaQsiB:I8vV7TXSaQZ+cGflUYEWgtQogQaa23W
Static task
static1
Malware Config
Extracted
quasar
1.4.0
Office04
products-behalf.at.ply.gg:6320
c23b61cb-eabd-4e27-8555-54877e46a96f
-
encryption_key
46B3B352EE74A03CFD2F29605A3A4FEDFCA67DDD
-
install_name
Microsoft.exe
-
log_directory
crashlogs
-
reconnect_delay
3000
-
startup_key
Microsoft Windows
-
subdirectory
Microsoft
Extracted
quasar
1.4.0
FenixFN
region-remarks.at.ply.gg:28982
d8be406e-39d8-4c7b-9a06-eddd3d2b4731
-
encryption_key
B7C9B35BDD90869A55A0CEF7257C297ED4BAE201
-
install_name
Dashboard.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
SubDir
Targets
-
-
Target
FenixCheatBETA.exe
-
Size
25.5MB
-
MD5
4ffd42d26dc1f942be4154c18ce3be55
-
SHA1
44dfc8e59cbbdda58d03f81ef4ea57566f528858
-
SHA256
571ddfbe3251be2f3908505e755ebf70dab52fe6bf6cddf875991afa940efaab
-
SHA512
d50cfc6b488fb701c643e08a48a9e69af50ab7c6589f2911bb07abf411777d0fb34a136e91f19896b3da518e85c82f2c276c6baffecb3f8d20820a9e2ac6df54
-
SSDEEP
393216:erES87bfONTU7MEmKbOaVan4W2tlXXQ1K3BflIYGloxEHJy9SN/AjMQ2bgQaQsiB:I8vV7TXSaQZ+cGflUYEWgtQogQaa23W
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-