General
-
Target
Client-built.exe
-
Size
3.1MB
-
Sample
240407-wd133aab7w
-
MD5
145193333e64b74823c421d26f035480
-
SHA1
f9919b3e81793fc5ccfb48dff30606c08523361c
-
SHA256
d57cd430c390790a495769b537242d522c25dbec4b01acf7f47b992882c37bfa
-
SHA512
353b4e0f96f95b0ba553aaecb4b27e53c6d9fe9625547e2d614820aecd4a5103fb1b7a42d0e4eac055404c384e00ee7d046167f86f6743c374a2a9f5813aaf0a
-
SSDEEP
49152:KvjI22SsaNYfdPBldt698dBcjH361lpoGdVnTHHB72eh2NT:Kvc22SsaNYfdPBldt6+dBcjH361/F
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240221-en
Malware Config
Extracted
quasar
1.4.1
Office04
2.tcp.eu.ngrok.io:16096
755f883f-4d58-4349-bc9e-f21c4e163b6f
-
encryption_key
EE65D8F2E429F4900E3A17963595716D863A2455
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
145193333e64b74823c421d26f035480
-
SHA1
f9919b3e81793fc5ccfb48dff30606c08523361c
-
SHA256
d57cd430c390790a495769b537242d522c25dbec4b01acf7f47b992882c37bfa
-
SHA512
353b4e0f96f95b0ba553aaecb4b27e53c6d9fe9625547e2d614820aecd4a5103fb1b7a42d0e4eac055404c384e00ee7d046167f86f6743c374a2a9f5813aaf0a
-
SSDEEP
49152:KvjI22SsaNYfdPBldt698dBcjH361lpoGdVnTHHB72eh2NT:Kvc22SsaNYfdPBldt6+dBcjH361/F
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-