General
-
Target
yandi.exe
-
Size
27.0MB
-
Sample
230316-a8qd6aad9z
-
MD5
628ef85da2276618c00a61794d9b0ae8
-
SHA1
6ea6b2c1eb84bcab7cc07608efd130c0fd2dec0a
-
SHA256
5cd433402b80eb5c05b6bdfaaacea035e50dc3ae0e9781d2b8c725401621ee51
-
SHA512
66a82e37d32edb84c106b4ff013359ba1409c2d24db524b0ee8f9983801c92fc9ca98ae5cf0689405d35a3b2c0bfc9c6ff63353f6f56393c3b94a67f57175fb6
-
SSDEEP
192:5ucYR8AtNdPZ6Gygw2NSbzphrUG+5Ar5WIhjWN69vXHcVS6LokMaYalvVp+pGdRt:uR8AtNdPZ6Gy24zTeqvXdkMcHggnOlu
Static task
static1
Behavioral task
behavioral1
Sample
yandi.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
yandi.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1033886426409996369/deZ7UCSWZhAXaAdSXmn9OTdcTs1FBytKGyMGCW0hcz2kUH1sES6uBY16PqykOZUlgt_z
Extracted
quasar
1.4.0
bigfis
craciton.duckdns.org:7771
dashmicrosoft.duckdns.org:7771
microsing.duckdns.org:7771
glare.hadaw.ml:20872
587b7d5c-0131-4b8d-880d-662f0a9f65fa
-
encryption_key
2C0C62BDD42E42BC77F98F8E1EE713B43F791267
-
install_name
WindowsServe.exe
-
log_directory
MicrosoftEnlightenment
-
reconnect_delay
101
-
startup_key
Microsoft Helper
-
subdirectory
WindowsSDTR
Targets
-
-
Target
yandi.exe
-
Size
27.0MB
-
MD5
628ef85da2276618c00a61794d9b0ae8
-
SHA1
6ea6b2c1eb84bcab7cc07608efd130c0fd2dec0a
-
SHA256
5cd433402b80eb5c05b6bdfaaacea035e50dc3ae0e9781d2b8c725401621ee51
-
SHA512
66a82e37d32edb84c106b4ff013359ba1409c2d24db524b0ee8f9983801c92fc9ca98ae5cf0689405d35a3b2c0bfc9c6ff63353f6f56393c3b94a67f57175fb6
-
SSDEEP
192:5ucYR8AtNdPZ6Gygw2NSbzphrUG+5Ar5WIhjWN69vXHcVS6LokMaYalvVp+pGdRt:uR8AtNdPZ6Gy24zTeqvXdkMcHggnOlu
-
Quasar payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-