General
-
Target
dfab2d1e82849333afbacbee3c34f3ee
-
Size
1.5MB
-
Sample
230320-h9tf7sed6s
-
MD5
dfab2d1e82849333afbacbee3c34f3ee
-
SHA1
f5de021e17f4e080302a1a10f8471b3ccccbaba7
-
SHA256
722b72dc48a27d091bf8904c3cb4b71613eceaa099122c070a1f16880dcbc5bd
-
SHA512
156ee882e000adca7609e3fd20208abbef501a98cd290f48e1e35aaeb3ff95c1bf45f7f052f689182a37f89de022cb3710d4020c6a542187a629c7846a62e840
-
SSDEEP
24576:DWmAFubSDY4ImEadU/WnVW+g1koqHEjj075OCRMY9U0qbuoiRLzFwJsB0nUWpvWL:L20tLv/avgGdkjjQuY9UuogVBsUgm
Static task
static1
Behavioral task
behavioral1
Sample
dfab2d1e82849333afbacbee3c34f3ee.exe
Resource
win7-20230220-en
Malware Config
Extracted
quasar
1.4.0.0
2
64.52.80.152:4782
rilN1fAD44GAdui4NQWxRcZ5xvcTflQkoO1X
-
encryption_key
Bdpmr7D1QFqfxRDrBKr2
-
install_name
csrss.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
NET framework
-
subdirectory
SubDir
Targets
-
-
Target
dfab2d1e82849333afbacbee3c34f3ee
-
Size
1.5MB
-
MD5
dfab2d1e82849333afbacbee3c34f3ee
-
SHA1
f5de021e17f4e080302a1a10f8471b3ccccbaba7
-
SHA256
722b72dc48a27d091bf8904c3cb4b71613eceaa099122c070a1f16880dcbc5bd
-
SHA512
156ee882e000adca7609e3fd20208abbef501a98cd290f48e1e35aaeb3ff95c1bf45f7f052f689182a37f89de022cb3710d4020c6a542187a629c7846a62e840
-
SSDEEP
24576:DWmAFubSDY4ImEadU/WnVW+g1koqHEjj075OCRMY9U0qbuoiRLzFwJsB0nUWpvWL:L20tLv/avgGdkjjQuY9UuogVBsUgm
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-