General
-
Target
f4a3d9404ad522ec1b9bd8feb8dca3b5.bin
-
Size
459KB
-
Sample
231024-c9k7yabh95
-
MD5
24f5be8735121e539e777b0e7fc5fe61
-
SHA1
3158fa8e66b160a92d4e1014d285b72f48a97f7a
-
SHA256
d69de6f4205696769caffe6bc3b75fd2da005041dcd88c110da9937a159233b6
-
SHA512
d842ab02af7e65c0d42da45b9c8f361003bd6827c8b058c52fd0067267b6769cf2428df316948f322d6b5eaf5d6b9556ef7130edf6f020158ce79f09c971b973
-
SSDEEP
12288:QA11XdtaPye8DJnQDYsLC1cYHfwJhqjwSWabpN/NE:QadkyJDFQDYH+EwLkp5NE
Static task
static1
Behavioral task
behavioral1
Sample
9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
Resource
win7-20231020-en
Malware Config
Extracted
quasar
1.4.0.0
Office
37.1.207.27:222
7xg1muSKali1I2y5IZ
-
encryption_key
KWyZntdiPrrGnzylskuR
-
install_name
csrss.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
NET framework
-
subdirectory
SubDir
Extracted
quasar
-
reconnect_delay
3000
Targets
-
-
Target
9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
-
Size
502KB
-
MD5
f4a3d9404ad522ec1b9bd8feb8dca3b5
-
SHA1
33201170d62419689b5685b22325512c27ca16ab
-
SHA256
9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88
-
SHA512
c593bab9c02e4a5a78d420710e422e8b562e2d2e040c745a75aac4a44695ec8d8e83ef999abd17fdd0db0e668a390d93f9d121446fb2f702d982e0bc8e04beea
-
SSDEEP
6144:8zAOLe5C9/l3Iv3hlwJYrCp5+kP/af/9jwlYj4ixSP7PtcaZuSrg6n2i3UMyoQTk:8zxICbojRxEceusRn1EvQY
-
Quasar payload
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-