General
-
Target
Client-built.exe
-
Size
405KB
-
Sample
230604-qsjvfach8t
-
MD5
5d28f72d1aad116bab07c41530e7734a
-
SHA1
1b0a277f8bbb8dbee1e791cda8c134d138ce0c38
-
SHA256
d1051935a532ce6813099c06cc359aa1e02cb1f0e341583b3ec3253186e33a80
-
SHA512
39b9acaa7fbc7c6d1393d734cfec2fb3bda58abecaaed5b4c8d51cefc46e353fbbf5520ce6acb9ef2464ec1c529cc8ee4bad7b05a224caad1b1854087d2f807b
-
SSDEEP
6144:R+iBrrx0Bua4fRbLHp6t/ixYbaZZWstTC/2pQLrUwlYh:FBrP0hiHHtO/GWrUwlYh
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
quasar
1.3.0.0
NameSystem
bobbawb1000.duckdns.org:23092
32m2kfpPHGN1CMuUm
-
encryption_key
bhThH4m2frhSbvbgSILD
-
install_name
dirsys.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
dirsys
-
subdirectory
DirSys
Targets
-
-
Target
Client-built.exe
-
Size
405KB
-
MD5
5d28f72d1aad116bab07c41530e7734a
-
SHA1
1b0a277f8bbb8dbee1e791cda8c134d138ce0c38
-
SHA256
d1051935a532ce6813099c06cc359aa1e02cb1f0e341583b3ec3253186e33a80
-
SHA512
39b9acaa7fbc7c6d1393d734cfec2fb3bda58abecaaed5b4c8d51cefc46e353fbbf5520ce6acb9ef2464ec1c529cc8ee4bad7b05a224caad1b1854087d2f807b
-
SSDEEP
6144:R+iBrrx0Bua4fRbLHp6t/ixYbaZZWstTC/2pQLrUwlYh:FBrP0hiHHtO/GWrUwlYh
Score10/10-
Quasar payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-