General
-
Target
Client.exe
-
Size
8.2MB
-
Sample
240115-cxevdsgef5
-
MD5
1e5e92049ee3411cb606a56a535987b8
-
SHA1
9f3c701ede9d7c4ffec03f8ee02d5161e1c41b80
-
SHA256
3b284744b856c3cf5d445be60cb327bcf5b69b844b80ba8f1ada2130e426eca8
-
SHA512
a119c29a53fc44ee430f24cd183917f8b1ec1fd83b9fc1a3d1dad0b1a4f19a0bb6fd532fb7f298ee18388502b34c50ab06232f7b8122b46674945459cc8442fa
-
SSDEEP
98304:Nvm42pda6D+/PjlLOlZyQipV0TRJ6uYcRQK1Ir9cX2wuAzQ2lz8kgHjBAHvEIxwu:hyOpUXflzEHjB7h306I
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20231215-en
Malware Config
Extracted
quasar
1.4.1
UPDATE
armamagedomupdate.ddns.net:4782
127.0.0.1:4782
186.222.176.105:4782
1b6d7fed-1a52-4066-b013-42889840485c
-
encryption_key
C77872F68B89499AA5521BDFC1B6CC41F2578CAE
-
install_name
UPDATE.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
AutoUpdate
-
subdirectory
SubDir
Targets
-
-
Target
Client.exe
-
Size
8.2MB
-
MD5
1e5e92049ee3411cb606a56a535987b8
-
SHA1
9f3c701ede9d7c4ffec03f8ee02d5161e1c41b80
-
SHA256
3b284744b856c3cf5d445be60cb327bcf5b69b844b80ba8f1ada2130e426eca8
-
SHA512
a119c29a53fc44ee430f24cd183917f8b1ec1fd83b9fc1a3d1dad0b1a4f19a0bb6fd532fb7f298ee18388502b34c50ab06232f7b8122b46674945459cc8442fa
-
SSDEEP
98304:Nvm42pda6D+/PjlLOlZyQipV0TRJ6uYcRQK1Ir9cX2wuAzQ2lz8kgHjBAHvEIxwu:hyOpUXflzEHjB7h306I
-
Quasar payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-