General
-
Target
Medieval Cracked.exe
-
Size
51.9MB
-
Sample
230715-hh3kssaa9w
-
MD5
13a623a6fd5ad41c9cba1b7ddfa30878
-
SHA1
c3f0a4c9961146fbf046ab6b0e572bcd9c4a923b
-
SHA256
99198643f2b0564539abec2e6e7ca8c7c455e203077b8751a9a8400807ad1ddc
-
SHA512
de47b6fc1575d49400ab630780ba45c9e657ed449b94532591fa6c8a81b2d5aab3715d6df0088d20dab431f0f980155dc994b0ce2b11989281b8d8b731576faa
-
SSDEEP
1572864:tYQtiTgQJ7B1uTmU/uwxGBX21FFt1K8NviPc:6V7Lu6tw0oXvAc
Behavioral task
behavioral1
Sample
Medieval Cracked.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Medieval Cracked.exe
Resource
win10-20230703-en
Malware Config
Extracted
quasar
1.4.1
Office04
2.56.245.127:7707
bfe1300a-d0c1-438c-ac10-db9b3f06e51f
-
encryption_key
EAEF8600AE6AE9669093373D05E8E9E509F6D52F
-
install_name
Microsoft Language Service.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft Language Service
-
subdirectory
WindowsHost
Targets
-
-
Target
Medieval Cracked.exe
-
Size
51.9MB
-
MD5
13a623a6fd5ad41c9cba1b7ddfa30878
-
SHA1
c3f0a4c9961146fbf046ab6b0e572bcd9c4a923b
-
SHA256
99198643f2b0564539abec2e6e7ca8c7c455e203077b8751a9a8400807ad1ddc
-
SHA512
de47b6fc1575d49400ab630780ba45c9e657ed449b94532591fa6c8a81b2d5aab3715d6df0088d20dab431f0f980155dc994b0ce2b11989281b8d8b731576faa
-
SSDEEP
1572864:tYQtiTgQJ7B1uTmU/uwxGBX21FFt1K8NviPc:6V7Lu6tw0oXvAc
-
Quasar payload
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-