General
-
Target
e51e1e4a21fef3fd98784683d80b5a02.bin
-
Size
978KB
-
Sample
240313-d7v5ssdg95
-
MD5
186baf2a39e4b428fc7fa67640be9e6e
-
SHA1
891a35a736af8135bcdd976b77072b4c1c98a9fa
-
SHA256
c36140401c52d70a7d3bd98ac62093dfd2ab449cea98bc9aafbab6aa2062f57f
-
SHA512
140eaf9709b8a41ec7226628cae1fcd18a14736c0906cb84ae133d18189fc21cd312f0370c02d18ccb06508bd181737e5e84b4bfc77e186842c59d6fe9a70583
-
SSDEEP
24576:7linNLBoib5kIJVl4yGysDVqnR4tX6R9t:7KPNBJ34yGyUMne65
Static task
static1
Behavioral task
behavioral1
Sample
aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7.exe
Resource
win7-20231129-en
Malware Config
Extracted
quasar
1.3.0.0
PVP2
clausetestbits.chickenkiller.com:64598
snoetestbits.ignorelist.com:64598
QSR_MUTEX_ttz0i8tcYpqYyKkP3l
-
encryption_key
kxBjTYBAXsyGYsjsYZcL
-
install_name
mcr.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
mcs
-
subdirectory
mcr
Targets
-
-
Target
aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7.exe
-
Size
1.0MB
-
MD5
e51e1e4a21fef3fd98784683d80b5a02
-
SHA1
309790387ec94c189ef94803a87fab335159657a
-
SHA256
aad9903b9803b9a3e2d6c7677d8eb80f537a3543e26725c48dde5e4c53d518b7
-
SHA512
329922a8229f6e07f549e8919b4f6e1d60bf7d153b30487c8dde0116d8b31745f88d3f7bf20616d2a88276e8d2c24859e73440a03d4d2ecc08cd207678d84265
-
SSDEEP
24576:A1QNv9uN9fFNd6AtvbGN/BCfKEPmxKVnRNWg:A1WluN9fZvbGyKFxg
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-