General
-
Target
QSAR.exe
-
Size
3.8MB
-
Sample
230604-3pnqfaeb46
-
MD5
b5f2bdcf06aae6c7e55c57fa3bb1233f
-
SHA1
ae89b4e0ab3042a82f876bca93af1cd51564625a
-
SHA256
a73e31f73387a5e43157b02f3df6edbebc54ab806dfc53054f4d0e2efbee5d54
-
SHA512
9b0bc29d4c15c0d18281b543c5e9c7b9ace5aaf65eb13d679ece6178f903e2d8763d037307021e987c68889db12c827ebeebc27848b66608c91481710eebb03a
-
SSDEEP
49152:dl93YePBeO8qmJmbEhN+TJBDgN8nCfV8ot35mzUNs6P/dXy8KGCz/W2nxLOpavvU:7ye5e4FbDI8sF1s6U8KGoTKIAQphv/Q
Behavioral task
behavioral1
Sample
QSAR.exe
Resource
win7-20230220-en
Malware Config
Extracted
quasar
1.4.1
Discord Updater
34.95.169.39:9000
microsotf.ddns.net:9000
159eba35-3396-4041-83ca-f7ae82b4a3c4
-
encryption_key
DD11DD94FCA2BC6D9E7164A7520569590E885EE8
-
install_name
Update.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Updater
-
subdirectory
Discord Updater
Targets
-
-
Target
QSAR.exe
-
Size
3.8MB
-
MD5
b5f2bdcf06aae6c7e55c57fa3bb1233f
-
SHA1
ae89b4e0ab3042a82f876bca93af1cd51564625a
-
SHA256
a73e31f73387a5e43157b02f3df6edbebc54ab806dfc53054f4d0e2efbee5d54
-
SHA512
9b0bc29d4c15c0d18281b543c5e9c7b9ace5aaf65eb13d679ece6178f903e2d8763d037307021e987c68889db12c827ebeebc27848b66608c91481710eebb03a
-
SSDEEP
49152:dl93YePBeO8qmJmbEhN+TJBDgN8nCfV8ot35mzUNs6P/dXy8KGCz/W2nxLOpavvU:7ye5e4FbDI8sF1s6U8KGoTKIAQphv/Q
-
Quasar payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-