General
-
Target
0c0dc0cf41e3c993ae5a22803275949abin.zip
-
Size
9.5MB
-
Sample
240105-nxpkdabhe6
-
MD5
468bc5977d7a82e95b50b7793dbadec6
-
SHA1
99180d2a32d95a96958ff7fb060ddb04ade154a8
-
SHA256
01e185ad6cba8440d1fa1d5c5ea5802d346ae7fabbe1c57115e4135b84420a7f
-
SHA512
e05d727ab548c7f127311565773b9250c2362ea69e56e3dd118b2f73cc7ee200531677d72e9aa4c5f397ae0e86369834795fd41bc1be44716f703f7865ad85f8
-
SSDEEP
196608:H/UCCA89F4vqhvIeMGD4LH+AHiGHAkdGuqVHjx:H/UCC7f4yhQeELH9HBgkFq3
Static task
static1
Behavioral task
behavioral1
Sample
18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe
Resource
win7-20231215-en
Malware Config
Extracted
quasar
1.4.1
Office04
brofisthej.ddns.net:4822
bba16831-38af-412f-a8c5-a3e7484d19bf
-
encryption_key
E24AB48F8EFB3017AA47324E2998E2D387BE10A9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe
-
Size
12.7MB
-
MD5
0c0dc0cf41e3c993ae5a22803275949a
-
SHA1
e372df2088dfa0695608a0ecf9b98c133abcf8f6
-
SHA256
18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc
-
SHA512
41f531cc954c6c39be9458a8e048cda64f8604a62ab730024c495e4fe771ce53edd2befb1af31e1f4962d975f35a224f8d752f9c28a7ec64e08e968c1abacf98
-
SSDEEP
49152:fIjotieByewT9gG21ntArAfjm6miv/t61TRORHEuEu1kGNkLde+tMtl1vVsTNwaC:fIq
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar payload
-
Nirsoft
-
Creates new service(s)
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-