General
-
Target
sample
-
Size
18KB
-
Sample
240407-zxq9raeg86
-
MD5
1a142ed78fd54fe0b5427027ba902905
-
SHA1
8335a20c0ff1c7e89a64a1b06787f6e1c21b7fc4
-
SHA256
e89e17a5b8d5ab76a31f4404041fc1f9b5d2806c84dfce6034acb481133edb89
-
SHA512
4ea1f9fd0fc3391dace74273997a33f387ed5bbe12338c4fe86323fb71cf2665fff59567e943a1b2c78e9202556f23a290999d50346daec84117b43004fd5e75
-
SSDEEP
384:rMLpG3YtDpmReVoOs4EsN9ylKeGMzaU8HhhbO3BS137P2cdS2LjFrSE3+IVJCBXu:rMLOYtBVoOs4EsryI1MzQBhbORS1rP2i
Static task
static1
Behavioral task
behavioral1
Sample
sample.html
Resource
win11-20240221-en
Malware Config
Extracted
quasar
1.4.1
Office04
6.tcp.ngrok.io:16799
0c20af10-1b0a-4d0e-bbca-3718ee39e827
-
encryption_key
284202D1B7ED732612BB54048953C4453A2549F9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System32
-
subdirectory
SubDir
Targets
-
-
Target
sample
-
Size
18KB
-
MD5
1a142ed78fd54fe0b5427027ba902905
-
SHA1
8335a20c0ff1c7e89a64a1b06787f6e1c21b7fc4
-
SHA256
e89e17a5b8d5ab76a31f4404041fc1f9b5d2806c84dfce6034acb481133edb89
-
SHA512
4ea1f9fd0fc3391dace74273997a33f387ed5bbe12338c4fe86323fb71cf2665fff59567e943a1b2c78e9202556f23a290999d50346daec84117b43004fd5e75
-
SSDEEP
384:rMLpG3YtDpmReVoOs4EsN9ylKeGMzaU8HhhbO3BS137P2cdS2LjFrSE3+IVJCBXu:rMLOYtBVoOs4EsryI1MzQBhbORS1rP2i
-
Quasar payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-