General
-
Target
Invoice #INV-000003.xlsm
-
Size
42KB
-
Sample
230419-tmycesbg84
-
MD5
085e42c1d3b9e1ff4ab0fbb281db1973
-
SHA1
85254d8a790d17f8086a20fcb0a66ec9b2002ef5
-
SHA256
4a5e25c3438b7613bfdbeb0ccc6a98ccf756cbd81ca8b6caa92017f384ac22de
-
SHA512
e68e40ce3075118bb098d29993591460e0535debf5c68c874a627efc53c70e940cdb5cb369d4f941de28a8e273f1f919f11ef96294a373eefa165603fe74612a
-
SSDEEP
768:lBvBp3vVssntNzgmABIJYfTH+niSp5vDHbAv+nWWFFiKk/f6qtGsk8R2+noiOr:3vfvVTD9AG1BLTbAv+FFFi3/CqQ58/o/
Behavioral task
behavioral1
Sample
Invoice #INV-000003.xlsm
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Invoice #INV-000003.xlsm
Resource
win10v2004-20230220-en
Malware Config
Extracted
quasar
1.3.0.0
SUCCESS
41.185.97.216:4782
MUTEX_KMkEYpkuWKDvhVsEcT
-
encryption_key
kbnBYlo1Zoug7VQGhNv1
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
cmd
-
subdirectory
SubDir
Targets
-
-
Target
Invoice #INV-000003.xlsm
-
Size
42KB
-
MD5
085e42c1d3b9e1ff4ab0fbb281db1973
-
SHA1
85254d8a790d17f8086a20fcb0a66ec9b2002ef5
-
SHA256
4a5e25c3438b7613bfdbeb0ccc6a98ccf756cbd81ca8b6caa92017f384ac22de
-
SHA512
e68e40ce3075118bb098d29993591460e0535debf5c68c874a627efc53c70e940cdb5cb369d4f941de28a8e273f1f919f11ef96294a373eefa165603fe74612a
-
SSDEEP
768:lBvBp3vVssntNzgmABIJYfTH+niSp5vDHbAv+nWWFFiKk/f6qtGsk8R2+noiOr:3vfvVTD9AG1BLTbAv+FFFi3/CqQ58/o/
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-