General
-
Target
14733fd5597f39704c5029997540be19.exe
-
Size
1.8MB
-
Sample
230423-hch9zadc5x
-
MD5
14733fd5597f39704c5029997540be19
-
SHA1
8b546cb9b43b8e163faa425e8807a17151210d9b
-
SHA256
0767b70abcbe52dde7d3997f689bbd65db1feeaf4f2861e85b3ca869c4017dc0
-
SHA512
8aab246c9835cd66705a3935d964b3701fba5d2301057c24dd1cb173065e6d5f632e094b8370d7d7cfc01072c876039a09ca3adf655318e5b596f0237a1e5e55
-
SSDEEP
24576:O+rC4mU6rP8/8fFNjy+W/wjFdUwIolLQKfIASWWeT/rZ2zEhosJqNZsWYoDmYzG0:OKO8ku6LUJep2AhRJqv0wzWjO
Static task
static1
Behavioral task
behavioral1
Sample
14733fd5597f39704c5029997540be19.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
14733fd5597f39704c5029997540be19.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
quasar
1.4.0.0
kas22.kro.kr:25565
GoogleCrashHandler
-
encryption_key
0VhXsd7kmDzOXpW90Kp9
-
install_name
GoogleCrashHandler.exe
-
log_directory
GoogleLogs
-
reconnect_delay
5000
-
startup_key
GoogleCrashHandler
-
subdirectory
Google
Targets
-
-
Target
14733fd5597f39704c5029997540be19.exe
-
Size
1.8MB
-
MD5
14733fd5597f39704c5029997540be19
-
SHA1
8b546cb9b43b8e163faa425e8807a17151210d9b
-
SHA256
0767b70abcbe52dde7d3997f689bbd65db1feeaf4f2861e85b3ca869c4017dc0
-
SHA512
8aab246c9835cd66705a3935d964b3701fba5d2301057c24dd1cb173065e6d5f632e094b8370d7d7cfc01072c876039a09ca3adf655318e5b596f0237a1e5e55
-
SSDEEP
24576:O+rC4mU6rP8/8fFNjy+W/wjFdUwIolLQKfIASWWeT/rZ2zEhosJqNZsWYoDmYzG0:OKO8ku6LUJep2AhRJqv0wzWjO
-
Quasar payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-