General
-
Target
2f1a8efb9627283f08b6819ab35eef398a6e51f89a8b17cdb90270af67943071
-
Size
10.2MB
-
Sample
240204-bl1r2sead6
-
MD5
f34bb3553d1d9b878d7532795ab5ec7c
-
SHA1
b2ecbcc62cb9f06fbdb0e11cf76708abf186e960
-
SHA256
2f1a8efb9627283f08b6819ab35eef398a6e51f89a8b17cdb90270af67943071
-
SHA512
540ce2559e0677c3e812ccb1c9810ed743b20243f1fb63c999d2e58eb19b6ad6b97ede6a130e4d8172b3c7b10b819e3d41754afdf253bb525f3d9f639044361c
-
SSDEEP
196608:QBCIYp8VP0VHzg9Aj72jlZOvyhO27EDRJL6A/PeaB6Jc6HkPq:xmVP0Vg9AejlZ5O2oVJL7H2Jhiq
Behavioral task
behavioral1
Sample
2f1a8efb9627283f08b6819ab35eef398a6e51f89a8b17cdb90270af67943071.exe
Resource
win7-20231129-en
Malware Config
Extracted
quasar
1.4.1
UPDATE
armamagedomupdate.ddns.net:4782
127.0.0.1:4782
186.222.176.105:4782
1b6d7fed-1a52-4066-b013-42889840485c
-
encryption_key
C77872F68B89499AA5521BDFC1B6CC41F2578CAE
-
install_name
UPDATE.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
AutoUpdate
-
subdirectory
SubDir
Targets
-
-
Target
2f1a8efb9627283f08b6819ab35eef398a6e51f89a8b17cdb90270af67943071
-
Size
10.2MB
-
MD5
f34bb3553d1d9b878d7532795ab5ec7c
-
SHA1
b2ecbcc62cb9f06fbdb0e11cf76708abf186e960
-
SHA256
2f1a8efb9627283f08b6819ab35eef398a6e51f89a8b17cdb90270af67943071
-
SHA512
540ce2559e0677c3e812ccb1c9810ed743b20243f1fb63c999d2e58eb19b6ad6b97ede6a130e4d8172b3c7b10b819e3d41754afdf253bb525f3d9f639044361c
-
SSDEEP
196608:QBCIYp8VP0VHzg9Aj72jlZOvyhO27EDRJL6A/PeaB6Jc6HkPq:xmVP0Vg9AejlZ5O2oVJL7H2Jhiq
-
Quasar payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-