General
-
Target
c8196288761492d1e659b22638fb94a9e9fa7fbf8ad6e6e1c2c2d59c14a556f9
-
Size
12.0MB
-
Sample
240207-bgkj9sdabp
-
MD5
13a02653ca2e0c643e205989c6407f92
-
SHA1
a5badc1558d80b97096fb3f5036ece58f509e627
-
SHA256
c8196288761492d1e659b22638fb94a9e9fa7fbf8ad6e6e1c2c2d59c14a556f9
-
SHA512
621d0c7fe11b8dba6ac53fe3753f0914514535b45e0d40d5be94c6da352599f78c4e502e3e5de12e0a800646276ca6ca0ac73d112cfd8b302eb497c43c87b54c
-
SSDEEP
196608:7346g0/MkE+rGyEBhVO3QyUAbfYXtMVNtbtvj3Uaf5oJ43qs/USvmxaHmVUp:z46g0/MkE+roxO3zbxtj3UaKJ43qssjQ
Behavioral task
behavioral1
Sample
c8196288761492d1e659b22638fb94a9e9fa7fbf8ad6e6e1c2c2d59c14a556f9.exe
Resource
win7-20231129-en
Malware Config
Extracted
quasar
1.4.1
UPDATE
armamagedomupdate.ddns.net:4782
127.0.0.1:4782
186.222.176.105:4782
1b6d7fed-1a52-4066-b013-42889840485c
-
encryption_key
C77872F68B89499AA5521BDFC1B6CC41F2578CAE
-
install_name
UPDATE.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
AutoUpdate
-
subdirectory
SubDir
Targets
-
-
Target
c8196288761492d1e659b22638fb94a9e9fa7fbf8ad6e6e1c2c2d59c14a556f9
-
Size
12.0MB
-
MD5
13a02653ca2e0c643e205989c6407f92
-
SHA1
a5badc1558d80b97096fb3f5036ece58f509e627
-
SHA256
c8196288761492d1e659b22638fb94a9e9fa7fbf8ad6e6e1c2c2d59c14a556f9
-
SHA512
621d0c7fe11b8dba6ac53fe3753f0914514535b45e0d40d5be94c6da352599f78c4e502e3e5de12e0a800646276ca6ca0ac73d112cfd8b302eb497c43c87b54c
-
SSDEEP
196608:7346g0/MkE+rGyEBhVO3QyUAbfYXtMVNtbtvj3Uaf5oJ43qs/USvmxaHmVUp:z46g0/MkE+roxO3zbxtj3UaKJ43qssjQ
-
Quasar payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-