General
-
Target
54d2d49ad4366ffc67625a32754dee1d802c2780de2fd8d1d3c9609c0f584781
-
Size
786KB
-
Sample
240402-z8mqpsdh7z
-
MD5
579ebb1309ad953fa0cb52c33b190baa
-
SHA1
70ccb8c950d96a7e6c32d09c307227f271a627ba
-
SHA256
54d2d49ad4366ffc67625a32754dee1d802c2780de2fd8d1d3c9609c0f584781
-
SHA512
2b9d5413626358fae10013e2fd214ec5e66cf7c30665f896563a39f3564ef475cbda8de14cb6f9260d5f49b70a1967d1097c0f855e7985ebed78d2a0c25390d4
-
SSDEEP
24576:6O7r0f+STf0QcR9CTsPsOcs1kITzH9FHB2PpO:6gAf+YMQceTs1t1/TzdFh20
Static task
static1
Behavioral task
behavioral1
Sample
54d2d49ad4366ffc67625a32754dee1d802c2780de2fd8d1d3c9609c0f584781.exe
Resource
win7-20240221-en
Malware Config
Extracted
quasar
1.3.0.0
Office04
83.147.53.145:3700
QSR_MUTEX_6WQThXDTXhAO4iLfWV
-
encryption_key
rylGzNSu4oGtwQbffX0U
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
54d2d49ad4366ffc67625a32754dee1d802c2780de2fd8d1d3c9609c0f584781
-
Size
786KB
-
MD5
579ebb1309ad953fa0cb52c33b190baa
-
SHA1
70ccb8c950d96a7e6c32d09c307227f271a627ba
-
SHA256
54d2d49ad4366ffc67625a32754dee1d802c2780de2fd8d1d3c9609c0f584781
-
SHA512
2b9d5413626358fae10013e2fd214ec5e66cf7c30665f896563a39f3564ef475cbda8de14cb6f9260d5f49b70a1967d1097c0f855e7985ebed78d2a0c25390d4
-
SSDEEP
24576:6O7r0f+STf0QcR9CTsPsOcs1kITzH9FHB2PpO:6gAf+YMQceTs1t1/TzdFh20
-
Quasar payload
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects executables containing common artifacts observed in infostealers
-
Detects executables packed with SmartAssembly
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-