General
-
Target
9eab649219e56ab1e4d7c9a07110543ea464f2ff62f70d570fa6bf78bb83b743
-
Size
10.0MB
-
Sample
231111-ddvxyafh4x
-
MD5
b2becaa35ad19a259fcd4d5a4abc6dca
-
SHA1
ce3d0b768fc5e424edd7c33c54d1027ec8d976af
-
SHA256
9eab649219e56ab1e4d7c9a07110543ea464f2ff62f70d570fa6bf78bb83b743
-
SHA512
9be9b1570b2552789a14f305edf8800d90770741d4afeee5ba8d985642ec9f5f2e863310376e1b126240e091316b5840011f73f5e17d35df2aabc58795930672
-
SSDEEP
6144:NDyTOYKRRp1znRK5HNfcGJAGyDqYcxWIXXO8MAH43IoGDEVng:xyqYCR/RI1JUsxx3QIojn
Static task
static1
Behavioral task
behavioral1
Sample
9eab649219e56ab1e4d7c9a07110543ea464f2ff62f70d570fa6bf78bb83b743.exe
Resource
win7-20231023-en
Malware Config
Extracted
quasar
1.4.0.0
Office04
statics.kozow.com:4782
unS22qrSdQNffnzBzy
-
encryption_key
csMSDPXELGapdezEwCQY
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
quasar
-
reconnect_delay
3000
Targets
-
-
Target
9eab649219e56ab1e4d7c9a07110543ea464f2ff62f70d570fa6bf78bb83b743
-
Size
10.0MB
-
MD5
b2becaa35ad19a259fcd4d5a4abc6dca
-
SHA1
ce3d0b768fc5e424edd7c33c54d1027ec8d976af
-
SHA256
9eab649219e56ab1e4d7c9a07110543ea464f2ff62f70d570fa6bf78bb83b743
-
SHA512
9be9b1570b2552789a14f305edf8800d90770741d4afeee5ba8d985642ec9f5f2e863310376e1b126240e091316b5840011f73f5e17d35df2aabc58795930672
-
SSDEEP
6144:NDyTOYKRRp1znRK5HNfcGJAGyDqYcxWIXXO8MAH43IoGDEVng:xyqYCR/RI1JUsxx3QIojn
-
Quasar payload
-
Uses the VBS compiler for execution
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-