General
-
Target
REAL-main.zip
-
Size
55KB
-
Sample
240407-blcp8agg6y
-
MD5
27310bf2773dbce5c630aa347ad2f240
-
SHA1
d90aefa6fa6944dd0cb8aa607976c1ca4640e005
-
SHA256
30adb9517db673b5fb40a6008b26ccd5b1cfa6cd6ec5522deb76f0aaa297343e
-
SHA512
dc41ce1ff3c676cdf8541b936a741fe74125563e694e4fe330a7edc4c1989cc136b8113d3a5216a831b299caceecddc602f2b3dfb3e4071b6a1caf32541ae7c4
-
SSDEEP
1536:q0D/NYt+mgDhMNTSTSyYDdjeX5q451JDOvNt6u:DaEh1FYDdjN4zpOv36u
Malware Config
Extracted
eaglerat
127.0.0.1:9875
127.0.0.1:7788
Extracted
quasar
1.4.1
Office04
vfvrrvrvrvrvrvr-35467.portmap.host:35467
42c19677-a378-403b-8b5c-523aacc3fbe9
-
encryption_key
79CB68D716E5E9BC61C22CE57DCE4390CE3A4CF9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
REAL-main/uhfwoioefejiofewjoifejofwjef.exe
-
Size
64KB
-
MD5
c306d26df4e2c3c4fe7136b0e3ec1b60
-
SHA1
619b6a3db59fc2832cfad689cc09c9512f572246
-
SHA256
38138ee80f9e69441d020cd399073bd9e7cf78bc563dc87fb937bef620a62361
-
SHA512
daa499fbccc61d3d12351b849f2b9c883fdc3c7a4205e242800ce6fb14d59f55a8fd3e974f8fdeb2074b33fcdf79ca613d21999a481864b291125196b68d747d
-
SSDEEP
1536:Dh3HaMmkefuYjsDAiENQVseNbIB2ngXPFo:d3GNjsD8YNOR9o
-
Quasar payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-