General
-
Target
7a6db8aecc2376ec7dfc50085757841523fb69135e364b70c7319bf7a39209d7.zip
-
Size
1.3MB
-
Sample
230321-r3x1gsde21
-
MD5
5a1f117b8063cd32664bef7d8d18b752
-
SHA1
ba17eb47dd751942d30be20c7902a8a5f6164cce
-
SHA256
2528083cb53974b2448747433aa256e6b440042cbb3afeeae4f4ddc99b601d01
-
SHA512
743fc085f87a38b8a6970d155b074951da548650b18d1bc8cfc10b8498e7c3b51cb6cadf6da6087cc92ba5c8057b05ff1ce0dffd721f8f66a03249fbd31f248b
-
SSDEEP
24576:4uPWJYfaYYJZwG9S1hykuvpypYS6G+TplAO0hBr2u0RsU9YQK:9uJVkWdypYSeU5Dz0Kd
Static task
static1
Behavioral task
behavioral1
Sample
7a6db8aecc2376ec7dfc50085757841523fb69135e364b70c7319bf7a39209d7.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
7a6db8aecc2376ec7dfc50085757841523fb69135e364b70c7319bf7a39209d7.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
quasar
1.3.0.0
SUCCESS
41.185.97.216:4782
MUTEX_QAxMFzrXWG2cbIHPGK
-
encryption_key
4DwUV8AnxPgmXSMeThKb
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
cmd
-
subdirectory
SubDir
Targets
-
-
Target
7a6db8aecc2376ec7dfc50085757841523fb69135e364b70c7319bf7a39209d7.exe
-
Size
2.9MB
-
MD5
68a23c2fc62bddad0a2c6cf36003577b
-
SHA1
67a19bf734520933adfa28afc017c3af1d6a3d5b
-
SHA256
7a6db8aecc2376ec7dfc50085757841523fb69135e364b70c7319bf7a39209d7
-
SHA512
0386671ee83c0825f80a0c95b4e21eb23054878546aff5d8ef63a3bcc6a32c53a61397009aee8e8c5fc171b1ed0e9b69a31111eb1b860e1ff67264fcac806cef
-
SSDEEP
24576:plubLwtFDS7FYNYD7264xnRhc/LSXxH227hqRCeFcOziFJLUfdKTgWA22222222:gZ7h4xnRhcGXxHxOqdq1pup
Score10/10-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-