General
-
Target
ac5efc42d89da8b457b51174d7c4154515dada5f17787b8b1a9c3c957223f6ae
-
Size
12.1MB
-
Sample
240215-b7zf4see86
-
MD5
d57a46d32157c46c91ece4cf87007057
-
SHA1
479e523a253aa2f3e20a1ca26ec35e2019434a7e
-
SHA256
ac5efc42d89da8b457b51174d7c4154515dada5f17787b8b1a9c3c957223f6ae
-
SHA512
a32a24f44397b2ba2a2e8b76a4aaa759748b6136d28d504e23c4a7717cc1681a248f40aae8cd7874551bbaa8d84c23154f39d6751952886326a6c61667d5b1dd
-
SSDEEP
393216:Zc1UVqzAqaeU9d683mTvqccCHhk7SyJjM:uKsnaeSdF2+crhISMjM
Behavioral task
behavioral1
Sample
ac5efc42d89da8b457b51174d7c4154515dada5f17787b8b1a9c3c957223f6ae.exe
Resource
win7-20231215-en
Malware Config
Extracted
quasar
1.4.1
UPDATE
armamagedomupdate.ddns.net:4782
127.0.0.1:4782
186.222.176.105:4782
1b6d7fed-1a52-4066-b013-42889840485c
-
encryption_key
C77872F68B89499AA5521BDFC1B6CC41F2578CAE
-
install_name
UPDATE.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
AutoUpdate
-
subdirectory
SubDir
Targets
-
-
Target
ac5efc42d89da8b457b51174d7c4154515dada5f17787b8b1a9c3c957223f6ae
-
Size
12.1MB
-
MD5
d57a46d32157c46c91ece4cf87007057
-
SHA1
479e523a253aa2f3e20a1ca26ec35e2019434a7e
-
SHA256
ac5efc42d89da8b457b51174d7c4154515dada5f17787b8b1a9c3c957223f6ae
-
SHA512
a32a24f44397b2ba2a2e8b76a4aaa759748b6136d28d504e23c4a7717cc1681a248f40aae8cd7874551bbaa8d84c23154f39d6751952886326a6c61667d5b1dd
-
SSDEEP
393216:Zc1UVqzAqaeU9d683mTvqccCHhk7SyJjM:uKsnaeSdF2+crhISMjM
-
Quasar payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-