General
-
Target
reallyrich_protected.exe
-
Size
3.2MB
-
Sample
230605-bbgw7aed45
-
MD5
df5d7280e65d54355447a8cf38dfee00
-
SHA1
550db0113d38c80e10a08406cdab1b7ba6a7430e
-
SHA256
0058c7aff1d46a7adb149bdd15392f2b56de364b1c0a5e546c0fbca15b586fe9
-
SHA512
a929a1a0575d348d072cd1add9fb45a77e0b4a5c378b16bcbb13c8bbb03f742a570e4614472ab224b29e613b93231f13029d10468bbb6ad3017bad77f65a5102
-
SSDEEP
98304:utrc5NQ18Qicj/J/zB+twLfrmISZEsKoFpCUi:15NzQiYLRiV2sKoKB
Behavioral task
behavioral1
Sample
reallyrich_protected.exe
Resource
win7-20230220-en
Malware Config
Extracted
quasar
1.3.0.0
Discord Skids
consider-brochure.at.ply.gg:27804
QSR_MUTEX_K74gPsK0rTir6ohMb6
-
encryption_key
7bQbeRbkWBPbfsQ8OJAh
-
install_name
COM Surrogate.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SystemHealthTray
-
subdirectory
SubDir
Targets
-
-
Target
reallyrich_protected.exe
-
Size
3.2MB
-
MD5
df5d7280e65d54355447a8cf38dfee00
-
SHA1
550db0113d38c80e10a08406cdab1b7ba6a7430e
-
SHA256
0058c7aff1d46a7adb149bdd15392f2b56de364b1c0a5e546c0fbca15b586fe9
-
SHA512
a929a1a0575d348d072cd1add9fb45a77e0b4a5c378b16bcbb13c8bbb03f742a570e4614472ab224b29e613b93231f13029d10468bbb6ad3017bad77f65a5102
-
SSDEEP
98304:utrc5NQ18Qicj/J/zB+twLfrmISZEsKoFpCUi:15NzQiYLRiV2sKoKB
-
Quasar payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-