General
-
Target
318b4d0e7a32e77a47e80ea0c933010a
-
Size
1.3MB
-
Sample
230823-gpnvjsac42
-
MD5
318b4d0e7a32e77a47e80ea0c933010a
-
SHA1
e14a9bf2fbb65d99c09ce4874df357bf48ab33a7
-
SHA256
3eff4c5d17c807e48a3c3ced3264273f19f7d7e3d1224f735f0ae5700d5ec905
-
SHA512
9600dff6b2beea9c65b9340400c584a4ce0556f00eb2bd7eb98ae337ce4167419c063c89d64ca867997496b8418f0b4763201d5247a5229680c69a683765312e
-
SSDEEP
24576:YCUjzUGK5blWiGQ5ZzOkqGRoQ1l+ybMnqFz1Q5Zxc1fPmOAJml:YnxoB5ZzO9GRoQ1lvmqFzexc1f+Oui
Static task
static1
Behavioral task
behavioral1
Sample
318b4d0e7a32e77a47e80ea0c933010a.exe
Resource
win7-20230712-en
Malware Config
Extracted
quasar
1.4.0.0
SENSHI 3
185.177.125.198:222
LDbLLU62madvFfGsjT
-
encryption_key
WCDUxKWT4OyOHRQd2hKI
-
install_name
csrss.exe
-
log_directory
Logs
-
reconnect_delay
2500
-
startup_key
Windows Defender
-
subdirectory
SubDir
Targets
-
-
Target
318b4d0e7a32e77a47e80ea0c933010a
-
Size
1.3MB
-
MD5
318b4d0e7a32e77a47e80ea0c933010a
-
SHA1
e14a9bf2fbb65d99c09ce4874df357bf48ab33a7
-
SHA256
3eff4c5d17c807e48a3c3ced3264273f19f7d7e3d1224f735f0ae5700d5ec905
-
SHA512
9600dff6b2beea9c65b9340400c584a4ce0556f00eb2bd7eb98ae337ce4167419c063c89d64ca867997496b8418f0b4763201d5247a5229680c69a683765312e
-
SSDEEP
24576:YCUjzUGK5blWiGQ5ZzOkqGRoQ1l+ybMnqFz1Q5Zxc1fPmOAJml:YnxoB5ZzO9GRoQ1lvmqFzexc1f+Oui
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Drops startup file
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-