General
-
Target
6dbb66926ff472a072d07773b2bf1f01.bin
-
Size
914KB
-
Sample
230331-bysl7sgb77
-
MD5
6dbb66926ff472a072d07773b2bf1f01
-
SHA1
8b8d6aa38a21810d101b47a04d69d47f2a85e96d
-
SHA256
2d0b88e49c10cb4ece429f61f177523f54eef92a53d1cacc7a8446dec2808d36
-
SHA512
91a39f26a2762c997904b74de75e040d35f8a0c6fc6040c6df3c1e3fae8a65264484a123e5d9971b9fe6f51415c6fd05a1c7fb8931feef38b4db04b9c2a28501
-
SSDEEP
24576:xu37ye+JcWd/Xk9pCPNf4ar02gcv+CjCGwl9qm:07ye+JFd/09IJ4argcZjP0
Static task
static1
Behavioral task
behavioral1
Sample
wwwdiangovcoPaginasestadodecuentan5235364788ref.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
wwwdiangovcoPaginasestadodecuentan5235364788ref.exe
Resource
win10v2004-20230220-en
Malware Config
Targets
-
-
Target
wwwdiangovcoPaginasestadodecuentan5235364788ref.exe
-
Size
1.1MB
-
MD5
0512f44eaa7452c825b34adf767ef16b
-
SHA1
3a86a32085b5b3e5f21423dadbfd37d0c0ef8774
-
SHA256
38b7701ddd4541928a2ab57f9bd992bc885ac0f6ee407875da197c95935a2ade
-
SHA512
2c2f4251c38a90b65e60536aa40c2b726872b75a8ac1ed0c373648fe210c80e742a957083386f7376c68a8ca77c78e465aa0b7cd9d72288bc4a02df9b7f5376e
-
SSDEEP
24576:512zVZ97v2SJfe41ImXk6skuDQ9E2wMCmu6s4j+yFt:5AR37vDfVmBkE8bw4JB+
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies security service
-
Quasar payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-