General
-
Target
Q.exe
-
Size
3.1MB
-
Sample
230823-xtrp1afa37
-
MD5
d7624b58e4535d5f1c7b3626e1d7f574
-
SHA1
2cb99b83f9f2d20899ae9745f67f2205f2844664
-
SHA256
a482811f54e56464eec332163be58eafdfbd8174a52367f212aabe3d5690f901
-
SHA512
febc6c4362c58d03782b1e59695313128fe2e8eb67e2eebad186de6ad82e78f6fd3d195517e75bfba273296de5129cb38581c94938720c8ac9a82685cfabaca5
-
SSDEEP
49152:Hv2I22SsaNYfdPBldt698dBcjH7/RJ6gbR3LoGdhTHHB72eh2NT:Hvb22SsaNYfdPBldt6+dBcjH7/RJ66
Behavioral task
behavioral1
Sample
Q.exe
Resource
win7-20230712-en
Malware Config
Extracted
quasar
1.4.1
Alex
7.tcp.ngrok.io:21630
alexthedns.com:4444
bd3821ca-cf93-479f-8337-5947c3698468
-
encryption_key
6DA001BD6C6276995240688DD6532A416FADB825
-
install_name
winrom.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
winrom.exe
-
subdirectory
winrom
Targets
-
-
Target
Q.exe
-
Size
3.1MB
-
MD5
d7624b58e4535d5f1c7b3626e1d7f574
-
SHA1
2cb99b83f9f2d20899ae9745f67f2205f2844664
-
SHA256
a482811f54e56464eec332163be58eafdfbd8174a52367f212aabe3d5690f901
-
SHA512
febc6c4362c58d03782b1e59695313128fe2e8eb67e2eebad186de6ad82e78f6fd3d195517e75bfba273296de5129cb38581c94938720c8ac9a82685cfabaca5
-
SSDEEP
49152:Hv2I22SsaNYfdPBldt698dBcjH7/RJ6gbR3LoGdhTHHB72eh2NT:Hvb22SsaNYfdPBldt6+dBcjH7/RJ66
-
Quasar payload
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-