General
-
Target
f531e877860d55c756fb1ef584d1ed8a.bin
-
Size
979KB
-
Sample
240313-eb56kaca8w
-
MD5
35c80c8393bd3f7f3b7345c61dd21d6b
-
SHA1
fc2ae5615a88877b59f0af4e6a94579c2e70a5e4
-
SHA256
b8c3ff5e368c1e11a4cd9b9f76fada25f740e6d0ca7acd5a75440cb75aab8dcd
-
SHA512
66e060e9effca85616098afe1c11aaf46c171fe7c6b14b0e630d362d1e124da2642da9e5c8519e42b92989eb640287e82f2245b81cb1d0b5275289c0ff87f53f
-
SSDEEP
24576:HvJOdWInr6ZXKmf0baMRdiOPwX8cK1ZMXZ6n:HcWMr6B0iO4k1GZ6n
Static task
static1
Behavioral task
behavioral1
Sample
8817121972c8d15861d1b458c7997f308458004b22e0704e1fc312e6253b0c15.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
8817121972c8d15861d1b458c7997f308458004b22e0704e1fc312e6253b0c15.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
quasar
1.3.0.0
PVP2
clausetestbits.chickenkiller.com:64598
snoetestbits.ignorelist.com:64598
QSR_MUTEX_ttz0i8tcYpqYyKkP3l
-
encryption_key
kxBjTYBAXsyGYsjsYZcL
-
install_name
mcr.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
mcs
-
subdirectory
mcr
Targets
-
-
Target
8817121972c8d15861d1b458c7997f308458004b22e0704e1fc312e6253b0c15.exe
-
Size
1.0MB
-
MD5
f531e877860d55c756fb1ef584d1ed8a
-
SHA1
5c136e17a56d8e204e6a91c91c9b5811aca94381
-
SHA256
8817121972c8d15861d1b458c7997f308458004b22e0704e1fc312e6253b0c15
-
SHA512
16fccdae8245d53bea59885626a335b406ec83d49c3a7b4347ee10b8c84efad201be3697f5eec0a8522b717339a9cb4a4dbca2af59825cee4592ea5d237d0201
-
SSDEEP
24576:OfhQo/Nij51ail9rFV7cgWaYdepbPA+DP5M5wDQA49/w6oRNWg:OJD1G1HlzRwlYPrDPW5wEo
Score10/10-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-