General
-
Target
11989941315.zip
-
Size
4KB
-
Sample
230927-k887dahf2y
-
MD5
19fb11428e632c5b6161f3f8341fcae2
-
SHA1
eb4d594bb600f7d1dfa88befd164de88910901f1
-
SHA256
c1db9e5e071025c583f23a3223762422e6caa9c23ad1cbdfd0ce7a73d668ced0
-
SHA512
c4be9699e30a00aaf9544bc3f207f60394261f6067b665af6245f14d653c3deafe7f547b998e168d643329c2d96a6b3370171ce460e328c137c194c3dce4dc76
-
SSDEEP
96:duiAVpa919mNBE3EkoqvMIUgHAQUSuZMyuBgn3uplUqxdyrQzkuT1k0uDe:UiAzaZABPko9BgHAQUZ3olUqqrxDe
Static task
static1
Behavioral task
behavioral1
Sample
e775da7c0b55fe06c5de02e116243cb82155d6dc462c220280becaa5b8334123.vbs
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
e775da7c0b55fe06c5de02e116243cb82155d6dc462c220280becaa5b8334123.vbs
Resource
win10v2004-20230915-en
Malware Config
Extracted
https://textbin.net/raw/ezjmofz3s6
Extracted
quasar
2.7.0.0
Venom Client
crazydns.linkpc.net:3000
ER5Ojs5Por1j5joXR6
-
encryption_key
HHtj6qkHuyo7mzRB7Q0O
-
install_name
Venom.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
Targets
-
-
Target
e775da7c0b55fe06c5de02e116243cb82155d6dc462c220280becaa5b8334123
-
Size
163KB
-
MD5
11f76a33d09caf69b8ade7f6f2410bf3
-
SHA1
e8058ec22549d5d144389b3feaa4f594df1f6d20
-
SHA256
e775da7c0b55fe06c5de02e116243cb82155d6dc462c220280becaa5b8334123
-
SHA512
59bd6405abff46700f10136ceb12a887d0403e3f61e7ba55f3787ade85595f7def2062bed401f9f304f04d9727cda87e0189f42980c90a1f195844e087c92a2c
-
SSDEEP
3072:iKfIfffo4fffff/oofTffgoff4ZyRKNP85LQG:m
Score10/10-
Quasar payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-