General
-
Target
278d30b853f49e6a13cbe9f34f1d41ca
-
Size
5.6MB
-
Sample
231231-eqqpesacg3
-
MD5
278d30b853f49e6a13cbe9f34f1d41ca
-
SHA1
035df2a06e5d41e3846e80e48f23b8a910c43e69
-
SHA256
42f38e100ef58aface240a755a20d02d55a574e7c8c78724ec5e062948d07a54
-
SHA512
3c9106d22fe264643641429b4845f4b157ec1dac42f67c2692156c0649ef32019dcf6c6f11adfc476b91ccac7b8ce41f336b58ff0857cf669967449e30063e6d
-
SSDEEP
98304:6nzQFlgYbe8fNk7GZHJPGMoSYf/DZegHkPFB/bBqwVUhwNCTqNLdcqEpdnNpBpEd:+z+2We81k7W1PoVZxCFBZCXSLdb2d2
Static task
static1
Behavioral task
behavioral1
Sample
278d30b853f49e6a13cbe9f34f1d41ca.exe
Resource
win7-20231129-en
Malware Config
Extracted
quasar
1.3.0.0
Office04
mushiyu123123.f3322.org:50050
QSR_MUTEX_kU6R4WcEnrRpV1pmT3
-
encryption_key
biuAuxCALf3qLcsJPIYC
-
install_name
smss.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
c3pool
-
subdirectory
c3pool
Targets
-
-
Target
278d30b853f49e6a13cbe9f34f1d41ca
-
Size
5.6MB
-
MD5
278d30b853f49e6a13cbe9f34f1d41ca
-
SHA1
035df2a06e5d41e3846e80e48f23b8a910c43e69
-
SHA256
42f38e100ef58aface240a755a20d02d55a574e7c8c78724ec5e062948d07a54
-
SHA512
3c9106d22fe264643641429b4845f4b157ec1dac42f67c2692156c0649ef32019dcf6c6f11adfc476b91ccac7b8ce41f336b58ff0857cf669967449e30063e6d
-
SSDEEP
98304:6nzQFlgYbe8fNk7GZHJPGMoSYf/DZegHkPFB/bBqwVUhwNCTqNLdcqEpdnNpBpEd:+z+2We81k7W1PoVZxCFBZCXSLdb2d2
-
Quasar payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-