General
-
Target
99a2af2b1d39d3ca267095cc733dd5e285b40b9c6b1709d34dbb213387c8df93.zip
-
Size
39KB
-
Sample
230321-r3x1gsbd56
-
MD5
2a7d306aa35b253e36f4c5fbdd5ab148
-
SHA1
e1eaed164cb033f466168efd933e4d0b4a683a1b
-
SHA256
0364dd00aca1c715d27ee39db28962940b16b012a8cfd2e5fc3a59dae8f38a50
-
SHA512
f6e6d59818910b0315a5da48402b65d4c1bf835deaa8c4b007c64089c98370f75740c517d50eccef919fbb3d381f44b4b6a42fa20d70a7879890119063edd924
-
SSDEEP
768:08f0r2dczmaIr36Y3AX9EjTqX/KoyZqPeEg5etbYqq4dKvZtxe0:p0r2eVIuYc9STqXyoygPWlL4ohW0
Behavioral task
behavioral1
Sample
99a2af2b1d39d3ca267095cc733dd5e285b40b9c6b1709d34dbb213387c8df93.xlsm
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
99a2af2b1d39d3ca267095cc733dd5e285b40b9c6b1709d34dbb213387c8df93.xlsm
Resource
win10v2004-20230220-en
Malware Config
Extracted
quasar
1.3.0.0
SUCCESS
41.185.97.216:4782
MUTEX_QAxMFzrXWG2cbIHPGK
-
encryption_key
4DwUV8AnxPgmXSMeThKb
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
cmd
-
subdirectory
SubDir
Targets
-
-
Target
99a2af2b1d39d3ca267095cc733dd5e285b40b9c6b1709d34dbb213387c8df93.xlsm
-
Size
42KB
-
MD5
edef1e97fcca56228c1956db6b514f55
-
SHA1
00d1bb1cf96aee9a21508b23f6ac113153131b1c
-
SHA256
99a2af2b1d39d3ca267095cc733dd5e285b40b9c6b1709d34dbb213387c8df93
-
SHA512
ba718485a68b2a9f5c134e186309dae1d169c22fcc15a4d028121df564fd64a9805e3d31a7edf82279b371c883721dc4d8accc2a3fe02ab3b841cd184b7aa236
-
SSDEEP
768:WrvDK4vwssnjS7zWl2BIJYfTH+niSpwvDHvDv+nWfFFiKk/f1qtfHF7RT+nsFf:ivXvwTjSul2G1BoTvDv+0FFi3/dqJl7Z
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-