Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
2ee3aa9bc2da3fce27fe025356ae13b1.bin
-
Size
3KB
-
Sample
230701-bgyf5afb97
-
MD5
f4499859a1a0cbacc6d97cdd7350856c
-
SHA1
a4bc48f8c38b283779bb0b7f435ca9b144a65cb5
-
SHA256
800b825fcf42dff45acf54bacae007176e930669987148d139693ff4fae6c807
-
SHA512
0303c416252622a38400438ff391d2d6b8ef67ea8d2975623c34313647ad1501b2ca5bcada0c3771700fa95e772191eb0422a4110b05b18d1f2a371aa84f7059
Static task
static1
Behavioral task
behavioral1
Sample
77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs
Resource
win10v2004-20230621-en
Malware Config
Extracted
https://pastebin.com/raw/16APD4C6
Extracted
quasar
1.3.0.0
ACS hope
crazydns.linkpc.net:26133
QSR_MUTEX_6iGAmxpR39hpOQEFqk
-
encryption_key
qiJ37BhO6EEtAoSo8ukb
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs
-
Size
213KB
-
MD5
2ee3aa9bc2da3fce27fe025356ae13b1
-
SHA1
d6c9f20fbfef8b1dca77e002c4ad2b9f7cad13c5
-
SHA256
77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1
-
SHA512
44d12a96f0c6ab16de52ebaae017f4e5e755831bfc9fe4704c560cb92f31f520737cf60949e89ea9e79bd744fa2065a0b29d90d4a033404e3fbdcf1c974b1f28
-
SSDEEP
3072:u5d6525555555e555555555555p5555+Ji555tp:R
Score10/10-
Quasar payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-