General
-
Target
81fe02b22a1c5d7d2f58071929b4c6dd.exe
-
Size
1.8MB
-
Sample
230614-ekmqksch43
-
MD5
81fe02b22a1c5d7d2f58071929b4c6dd
-
SHA1
12d91d12d4e7d0475b815683bbaf6311a4c5deb5
-
SHA256
3f88f0443415341f4807693ead6bcd3be97d7437ba10d01f7b4969dc4ca53a3c
-
SHA512
02846ca21b8837a52a3f8ec47d781b7e9e38764176aeb085b2db05ff2a3c2469ca084c195cf00a99f469c586420fc82192ff4ec3a7bbb0965a5724b52bb98d48
-
SSDEEP
12288:wG+i1cTob5rpXuEq++p6xG5ssxODepysgSk9DyL1HUyIP9IylT8rhke6nuRs9U51:wrkcG+p6U5U8ae6n+5OaKdWq2o14
Static task
static1
Behavioral task
behavioral1
Sample
81fe02b22a1c5d7d2f58071929b4c6dd.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
81fe02b22a1c5d7d2f58071929b4c6dd.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
quasar
1.3.0.0
202
windows10-11.ddnsfree.com:5552
windows10-11.ddns.net:5552
QSR_MUTEX_boxEKxe8a0LoR2kBL1
-
encryption_key
KuJ4t6tq6AQ5l33A3aYj
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
81fe02b22a1c5d7d2f58071929b4c6dd.exe
-
Size
1.8MB
-
MD5
81fe02b22a1c5d7d2f58071929b4c6dd
-
SHA1
12d91d12d4e7d0475b815683bbaf6311a4c5deb5
-
SHA256
3f88f0443415341f4807693ead6bcd3be97d7437ba10d01f7b4969dc4ca53a3c
-
SHA512
02846ca21b8837a52a3f8ec47d781b7e9e38764176aeb085b2db05ff2a3c2469ca084c195cf00a99f469c586420fc82192ff4ec3a7bbb0965a5724b52bb98d48
-
SSDEEP
12288:wG+i1cTob5rpXuEq++p6xG5ssxODepysgSk9DyL1HUyIP9IylT8rhke6nuRs9U51:wrkcG+p6U5U8ae6n+5OaKdWq2o14
-
Quasar payload
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-