General
-
Target
d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833
-
Size
3.1MB
-
Sample
240412-cdlhtsca33
-
MD5
3396e77d0d043554c7f857a1249c75fe
-
SHA1
d3de2678e85f4ad63e5254782a58a85035aafecc
-
SHA256
d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833
-
SHA512
3128c03a0465d03127cf6df186533993e2337dce8ca821d8dbcaecd08c7ff7a6d2646de150b7afbe20641e4eb08104342813dfd2fe50346c8b47d40deedc67a4
-
SSDEEP
49152:WvnG42pda6D+/PjlLOlg6yQipV7tjMpETOk/FLoGd7RTHHB72eh2NT:WvG42pda6D+/PjlLOlZyQipVhj9
Behavioral task
behavioral1
Sample
d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe
Resource
win7-20240221-en
Malware Config
Extracted
quasar
1.4.1
Office04
10.10.8.36:4782
0.tcp.eu.ngrok.io:19992
tcp://5.tcp.eu.ngrok.io:10477
570f8f63-dc8c-471b-b7f5-710ac819d722
-
encryption_key
BB0B2DE4F1126E98797D1ABADF2CCEC47E72B5FD
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
150
-
startup_key
Platonus
-
subdirectory
SubDir
Targets
-
-
Target
d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833
-
Size
3.1MB
-
MD5
3396e77d0d043554c7f857a1249c75fe
-
SHA1
d3de2678e85f4ad63e5254782a58a85035aafecc
-
SHA256
d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833
-
SHA512
3128c03a0465d03127cf6df186533993e2337dce8ca821d8dbcaecd08c7ff7a6d2646de150b7afbe20641e4eb08104342813dfd2fe50346c8b47d40deedc67a4
-
SSDEEP
49152:WvnG42pda6D+/PjlLOlg6yQipV7tjMpETOk/FLoGd7RTHHB72eh2NT:WvG42pda6D+/PjlLOlZyQipVhj9
-
Quasar payload
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables containing common artifacts observed in infostealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-