General
-
Target
me.jpg
-
Size
48KB
-
Sample
240416-znlmxacc97
-
MD5
87e714296cd412357bb84d901bf1eb4c
-
SHA1
063fd47c5d1eefa37bbf509b8cd5d3cd9fa58bcb
-
SHA256
0c17679435f56f8356cc18e4c02024f04adac1fa030b8e74e140eccd10c514d4
-
SHA512
41f5fcd7c1ded42d6bdc601943f80158bd5957e46378aabc025d9a094683c17a0d5a34f6eb62163febeda7b6c769d680adc054d97612520bf2ec24c28aea7feb
-
SSDEEP
1536:GcViwPM3MkDQ/iZ7Hai9eNMVBGD9vVDgly3M6:/MwE3fDQ/weDNVoy3N
Static task
static1
Behavioral task
behavioral1
Sample
me.jpg
Resource
win10-20240404-en
Malware Config
Extracted
https://github.com/aspdasdksa/TROLLLOLL/raw/main/hello.exe
Extracted
quasar
1.4.1
Test
47.134.26.200:4782
193.161.193.99:23325
9cabbafb-503b-49f1-ab22-adc756455c10
-
encryption_key
8B93C77AC1C58EA80A3327E9FD26246A79EF3B8E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
MS Build Tools
-
subdirectory
Microsoft-Build-Tools
Targets
-
-
Target
me.jpg
-
Size
48KB
-
MD5
87e714296cd412357bb84d901bf1eb4c
-
SHA1
063fd47c5d1eefa37bbf509b8cd5d3cd9fa58bcb
-
SHA256
0c17679435f56f8356cc18e4c02024f04adac1fa030b8e74e140eccd10c514d4
-
SHA512
41f5fcd7c1ded42d6bdc601943f80158bd5957e46378aabc025d9a094683c17a0d5a34f6eb62163febeda7b6c769d680adc054d97612520bf2ec24c28aea7feb
-
SSDEEP
1536:GcViwPM3MkDQ/iZ7Hai9eNMVBGD9vVDgly3M6:/MwE3fDQ/weDNVoy3N
Score10/10-
Quasar payload
-
Renames multiple (207) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-