General
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
Family
quasar
Version
1.3.0.0
Botnet
HEU_A
C2
hacker.548848.xyz:4000
Mutex
QSR_MUTEX_y7qRPJXwrKoCCGjifB
Attributes
-
encryption_key
zOtqF7XIGfeSwK3tze2l
-
install_name
IntelServiceUpdate.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Intel Service Update
-
subdirectory
IntelServiceUpdate
Extracted
Family
quasar
Version
1.3.0.0
Botnet
HEU_T
C2
81.68.120.79:4000
Mutex
QSR_MUTEX_kWiUJRAFspPTbob5of
Attributes
-
encryption_key
7GHKJ6ZgFY9nVhHS7b4U
-
install_name
IntelService.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Intel Service
-
subdirectory
IntelService
Targets
-
-
Quasar payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger