General
-
Target
24ac8f788c945be0d9ce1ee31573e040
-
Size
691KB
-
Sample
231231-c28y2agddl
-
MD5
24ac8f788c945be0d9ce1ee31573e040
-
SHA1
99c847a279f4253ce11680d08e8c579998e1f690
-
SHA256
fe8593b5d45e1ffcd4f1d47e4167c5e13ad33f3391250d53e500ff0328f018cc
-
SHA512
0aad7edb667544d2946b0545c23f47ec99fbcd1e9106c55908f3f92061a2f736f3ad29e426feb140e91d0bdfa249266cc1f4883e43f521c1d0a60bc0d6d33cf3
-
SSDEEP
12288:N8F2v5RYZjGagUjAtN8yt00khHaK/0CrMixd/+RGzXsMB9h7ukziWy9EUKFTZdX1:N8iTYZjGM8D8GKMCrMi3JzXsW9ESiWyS
Static task
static1
Behavioral task
behavioral1
Sample
24ac8f788c945be0d9ce1ee31573e040.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
24ac8f788c945be0d9ce1ee31573e040.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
quasar
1.4.0.0
Office04
127.0.0.1:443
FBdXANGH0BYFlg9CNn
-
encryption_key
A6NhGxikgt5GpTQYuW3i
-
install_name
Microsoft Offline.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft Offline
-
subdirectory
SubDir
Extracted
quasar
-
reconnect_delay
3000
Targets
-
-
Target
24ac8f788c945be0d9ce1ee31573e040
-
Size
691KB
-
MD5
24ac8f788c945be0d9ce1ee31573e040
-
SHA1
99c847a279f4253ce11680d08e8c579998e1f690
-
SHA256
fe8593b5d45e1ffcd4f1d47e4167c5e13ad33f3391250d53e500ff0328f018cc
-
SHA512
0aad7edb667544d2946b0545c23f47ec99fbcd1e9106c55908f3f92061a2f736f3ad29e426feb140e91d0bdfa249266cc1f4883e43f521c1d0a60bc0d6d33cf3
-
SSDEEP
12288:N8F2v5RYZjGagUjAtN8yt00khHaK/0CrMixd/+RGzXsMB9h7ukziWy9EUKFTZdX1:N8iTYZjGM8D8GKMCrMi3JzXsW9ESiWyS
-
Quasar payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-