General
-
Target
ayoubpayload.exe
-
Size
2.2MB
-
Sample
230823-wbx9dsfh9y
-
MD5
267d75c2de40684ff69a9cbe186d951a
-
SHA1
7a0a4d7c9dabfc767822d986ba40777536768063
-
SHA256
81ecb3b3f6307ab77fa8242cf6942cea00d2bd435a78e12e18a517cbad0311c6
-
SHA512
1592f19c7fe8a6d9d41777b7e9bfd79e7f718345925e14c2bad7bbfb311a9f71da95947f32f3d8994a5f137441261ff7e6ab1f6200b1cbdd154b8118a11ecd29
-
SSDEEP
49152:gxdegI/t6a+DGYuSl+GPs/clmJ+kJQlQRI6FIPaO9oa4N2kEvjVC8HlJV6Zz1o:gxrI1sX+GUEoJ+uQlQRkPaO9pgEvjlHx
Static task
static1
Behavioral task
behavioral1
Sample
ayoubpayload.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
ayoubpayload.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6461431087:AAEzHlXuxjiqDlddC5mfOauganj96ROBp6U/sendMessage?chat_id=578807764
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
quasar
1.4.0.0
Office04
185.238.3.205:6669
4LDmiMPcrWXI3vcHed
-
encryption_key
M11R9prTigoaqxzXOSPw
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
ayoubpayload.exe
-
Size
2.2MB
-
MD5
267d75c2de40684ff69a9cbe186d951a
-
SHA1
7a0a4d7c9dabfc767822d986ba40777536768063
-
SHA256
81ecb3b3f6307ab77fa8242cf6942cea00d2bd435a78e12e18a517cbad0311c6
-
SHA512
1592f19c7fe8a6d9d41777b7e9bfd79e7f718345925e14c2bad7bbfb311a9f71da95947f32f3d8994a5f137441261ff7e6ab1f6200b1cbdd154b8118a11ecd29
-
SSDEEP
49152:gxdegI/t6a+DGYuSl+GPs/clmJ+kJQlQRI6FIPaO9oa4N2kEvjVC8HlJV6Zz1o:gxrI1sX+GUEoJ+uQlQRkPaO9pgEvjlHx
-
Quasar payload
-
StormKitty payload
-
Async RAT payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-