General
-
Target
Capture_decran_2023-05-30_a_19.07.12.exe
-
Size
201KB
-
Sample
230609-v9flkacg63
-
MD5
ef323891840b80c94f2e6f5d833e5766
-
SHA1
ee3ef64ce080ed9cb1cde9fc6a7c87153023809b
-
SHA256
d90d108900ca928c0e23563af58973e560594b0c7695a990f3fdcbfdfcf56ffa
-
SHA512
1348c54746db626833580748e7d17250f4aa66eb7142902d74942319a61d00b94087728f6d09edfead667124a3f0049e41d27adc16d64702ad5653a543111d68
-
SSDEEP
1536:37f9h0UPJP/CpICdikMLMLv5PFNg1qrX+VIOlnToIfegIxaZxBF+DNQAhGZ3Qp7n:rliUPXC8k1nJrX+fNTBfugr+DmZoonG
Static task
static1
Behavioral task
behavioral1
Sample
Capture_decran_2023-05-30_a_19.07.12.exe
Resource
win7-20230220-en
Malware Config
Extracted
quasar
1.4.1
Office04
ratcentho.ddns.net:1604
a48091b5-8649-4186-b51d-37847b346bbb
-
encryption_key
E111C166FC0FC5E69CF243BDE5027B1BBD76712A
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
csrss
-
subdirectory
SubDir
Targets
-
-
Target
Capture_decran_2023-05-30_a_19.07.12.exe
-
Size
201KB
-
MD5
ef323891840b80c94f2e6f5d833e5766
-
SHA1
ee3ef64ce080ed9cb1cde9fc6a7c87153023809b
-
SHA256
d90d108900ca928c0e23563af58973e560594b0c7695a990f3fdcbfdfcf56ffa
-
SHA512
1348c54746db626833580748e7d17250f4aa66eb7142902d74942319a61d00b94087728f6d09edfead667124a3f0049e41d27adc16d64702ad5653a543111d68
-
SSDEEP
1536:37f9h0UPJP/CpICdikMLMLv5PFNg1qrX+VIOlnToIfegIxaZxBF+DNQAhGZ3Qp7n:rliUPXC8k1nJrX+fNTBfugr+DmZoonG
-
Quasar payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-