General
-
Target
Dox_Tool_V3_Cracked.rar
-
Size
1.6MB
-
Sample
230530-2tbq1abh95
-
MD5
18683f6c7304589153f7c317ad6fb0d6
-
SHA1
d10f08d059ba9793204ef8c77220738af480da22
-
SHA256
46bac1db5da211b56dd46d88afd80b378fa4cf47a75a3e05920db4fe9dd24fd5
-
SHA512
569c4c7c68813c695666427c4523e157bd2253a0e71d321f35b6fecf71f6f91a24371484cc72a7bbb1f5996f47b824365cbd0e5168b49e1a7c1f2f514c1d5009
-
SSDEEP
49152:47oG4dTLfbeI2n38cQQcZKvXFTcvWmpHOrkXfTs:VkncsvVTcvWmpH6kPTs
Static task
static1
Behavioral task
behavioral1
Sample
Dox Tool V3 Cracked/Dox Tool V3 Cracked/Dox Tool V3 Cracked/Dox Tool V3 Cracked.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral2
Sample
Dox Tool V3 Cracked/Dox Tool V3 Cracked/Dox Tool V3 Cracked/data/Launcher.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
quasar
1.3.0.0
Office04
192.168.1.11:4782
QSR_MUTEX_f39lWqYnYtP5YngtM5
-
encryption_key
c5q7P5jsfrwN6nB5c3mG
-
install_name
SystemUpdate.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsUpdate
-
subdirectory
SubDir
Targets
-
-
Target
Dox Tool V3 Cracked/Dox Tool V3 Cracked/Dox Tool V3 Cracked/Dox Tool V3 Cracked.exe
-
Size
207KB
-
MD5
6c206cadf297a02c0af977c65637a166
-
SHA1
7d382b1e6cefd120f9d87f894e14088e18d01c73
-
SHA256
f4f78f44719af71a363bd50107840f53f8eebf3190505c10bac2cf7be3c29e59
-
SHA512
2672ae02fb6b768861f469556f9818fd84866d62122f243309b5f2d13c4c907b6555e968bfb4b10cd48188fe3b2182b15ee7f425ddd14835b483d0dfe721b515
-
SSDEEP
3072:a4lci2Fg23Ii0qLTqBGsx/2JNRnvcXCevyLNgtlr:a6ci8giNLZW2HRnvKClg
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
-
-
Target
Dox Tool V3 Cracked/Dox Tool V3 Cracked/Dox Tool V3 Cracked/data/Launcher.exe
-
Size
53KB
-
MD5
c6d4c881112022eb30725978ecd7c6ec
-
SHA1
ba4f96dc374195d873b3eebdb28b633d9a1c5bf5
-
SHA256
0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32
-
SHA512
3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981
-
SSDEEP
768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
Dox Tool V3 Cracked/Dox Tool V3 Cracked/Dox Tool V3 Cracked/data/doxsys.exe
-
Size
1.0MB
-
MD5
8f36caf603f3f2b192c5fd06a8e3c699
-
SHA1
44f387152ee1fb02a83ed0be5e942fd4a733e235
-
SHA256
0ca828c630091173cafd2663393888849459fbc9581d1fd062567d0afdf79a38
-
SHA512
9df012c7420a4f6224907a8ac1e3293985b30c9ff829ecc9cdeea56fdcaa1c46d8e131fdd9b525e6af092065a29401c11f24390ba30969e9f3ab7e60e094dcba
-
SSDEEP
12288:GNTWV+v54B9H+hyf2SF6L6D5hKMzPg9e0oEPABi:GWVa4bHwkSYa4gk0omA
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-