General
-
Target
0x000b0000000122fe-60.dat
-
Size
288KB
-
Sample
240302-khyb7acb74
-
MD5
473dada2898cd0c3f7bb193e784211a4
-
SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8
-
SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce
-
SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6
-
SSDEEP
6144:gRSjIXAnZQel5w7T4P5Kq+SMv0VGb7bDcllbkEq:p4AZrg7g9zVGkllbkx
Behavioral task
behavioral1
Sample
0x000b0000000122fe-60.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0x000b0000000122fe-60.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
quasar
1.4.0.0
storage
xmarvel.ddns.net:4782
2.58.56.188:4782
Slbw7KtgA7WecQEqcR
-
encryption_key
BTg0dEybEXwn6MM90CP2
-
install_name
ccleaner.exe
-
log_directory
windowfirewalls
-
reconnect_delay
1
-
startup_key
windowsfirewall.msc
-
subdirectory
windowsfirewall
Extracted
quasar
-
reconnect_delay
1
Targets
-
-
Target
0x000b0000000122fe-60.dat
-
Size
288KB
-
MD5
473dada2898cd0c3f7bb193e784211a4
-
SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8
-
SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce
-
SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6
-
SSDEEP
6144:gRSjIXAnZQel5w7T4P5Kq+SMv0VGb7bDcllbkEq:p4AZrg7g9zVGkllbkx
Score10/10-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-