General
-
Target
04990099.exe
-
Size
916KB
-
Sample
230603-ssbvyahf21
-
MD5
14f404145a2e342fc8dea1d7410d0977
-
SHA1
3cf14a3afa0b3a35de831093f2ced8cb8d37d298
-
SHA256
c0c546bbb3489141ce05c48cf79f03ef55b8adc2b55f768d9fa6830f15237b66
-
SHA512
e40065061d0b834423a3f03038b7ad34289d96b73d9c9e60164e67596d2333f0e40ec54b8a960b7d9ed639611b11c3fb1deb60689a4015bc3c97c7397e8fbd61
-
SSDEEP
24576:VUcziHVcYBjF3ZLNfBzVHps1LusJLK1lkgoLE:nziHVcYBjF3ZLNfBzVHpsLk1lk
Behavioral task
behavioral1
Sample
04990099.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
04990099.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
quasar
2.8.0.1
Venom Client
soon-lp.at.ply.gg:17209
JbBKKHh20tjHitewKR
-
encryption_key
ZqvCSKfIZ294q5dIHRWw
-
install_name
Venom.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WinHost
Targets
-
-
Target
04990099.exe
-
Size
916KB
-
MD5
14f404145a2e342fc8dea1d7410d0977
-
SHA1
3cf14a3afa0b3a35de831093f2ced8cb8d37d298
-
SHA256
c0c546bbb3489141ce05c48cf79f03ef55b8adc2b55f768d9fa6830f15237b66
-
SHA512
e40065061d0b834423a3f03038b7ad34289d96b73d9c9e60164e67596d2333f0e40ec54b8a960b7d9ed639611b11c3fb1deb60689a4015bc3c97c7397e8fbd61
-
SSDEEP
24576:VUcziHVcYBjF3ZLNfBzVHps1LusJLK1lkgoLE:nziHVcYBjF3ZLNfBzVHpsLk1lk
Score10/10-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-