General
-
Target
file.exe
-
Size
3.8MB
-
Sample
230609-nlkr2scg7s
-
MD5
4693d917d5573d64bfd2a27e46e04504
-
SHA1
fb97fec5b335804929dc3c8fb7e69073467f4754
-
SHA256
2d24effcdf6f620d368752b0bba8f2b96b01b82d95c36b6d5b34ddbe7740362d
-
SHA512
05f08728f753b0c115f5e30163c08783d3e0dc68762d621bfd1887e8c41d746fba45f22fc10594f48a852222a432ca99bcfeadc2d83d316eb41c51c7f171749a
-
SSDEEP
49152:k6fBW2t1NiKOBFAzHpe64btMTabv3/LQOlFIpfllgqSBZ7rQ0kV8e:k6
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
quasar
1.4.0.0
Office04
hostmeta.duckdns.org:3400
PCoa0XHES5x7Cr7a01
-
encryption_key
cH5E0mLkGfudyeRokQBJ
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
quasar
-
reconnect_delay
3000
Targets
-
-
Target
file.exe
-
Size
3.8MB
-
MD5
4693d917d5573d64bfd2a27e46e04504
-
SHA1
fb97fec5b335804929dc3c8fb7e69073467f4754
-
SHA256
2d24effcdf6f620d368752b0bba8f2b96b01b82d95c36b6d5b34ddbe7740362d
-
SHA512
05f08728f753b0c115f5e30163c08783d3e0dc68762d621bfd1887e8c41d746fba45f22fc10594f48a852222a432ca99bcfeadc2d83d316eb41c51c7f171749a
-
SSDEEP
49152:k6fBW2t1NiKOBFAzHpe64btMTabv3/LQOlFIpfllgqSBZ7rQ0kV8e:k6
Score10/10-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-