General
-
Target
experimentingnew.exe
-
Size
3.1MB
-
Sample
240420-jg3pvabg85
-
MD5
399bbb3dc58bcc8cc2fe9aef9a3ebac5
-
SHA1
37be03a9765a8b321c0ddf2ff00acdb106502b7b
-
SHA256
821f6a7afc4b55e5b636deb590d71b6e5807ad2875cb7feca4e47e1dec7c3d98
-
SHA512
98e70c54329089015535e30f32006ef8731e69dd32234590ef7f8388403cd68e86c5a4030083f8c510c46c7d0f995fe3a9a82db01a0b6fc288ea7eb5db5fa64f
-
SSDEEP
49152:LvXlL26AaNeWgPhlmVqvMQ7XSKkZxNESEYk/iMLoGdHCTHHB72eh2NT:LvVL26AaNeWgPhlmVqkQ7XSKex/S3
Malware Config
Extracted
quasar
1.4.1
Office04
0.tcp.eu.ngrok.io:15209
2c47ae55-417f-4523-8ffe-361bacffde6b
-
encryption_key
5921775375700E0556963615862881AFA90D9F9F
-
install_name
Microsoft Windows Search Indexer.exe
-
log_directory
Discord
-
reconnect_delay
3000
-
startup_key
Runtime Broker
-
subdirectory
svchost
Targets
-
-
Target
experimentingnew.exe
-
Size
3.1MB
-
MD5
399bbb3dc58bcc8cc2fe9aef9a3ebac5
-
SHA1
37be03a9765a8b321c0ddf2ff00acdb106502b7b
-
SHA256
821f6a7afc4b55e5b636deb590d71b6e5807ad2875cb7feca4e47e1dec7c3d98
-
SHA512
98e70c54329089015535e30f32006ef8731e69dd32234590ef7f8388403cd68e86c5a4030083f8c510c46c7d0f995fe3a9a82db01a0b6fc288ea7eb5db5fa64f
-
SSDEEP
49152:LvXlL26AaNeWgPhlmVqvMQ7XSKkZxNESEYk/iMLoGdHCTHHB72eh2NT:LvVL26AaNeWgPhlmVqkQ7XSKex/S3
-
Quasar payload
-
Drops file in Drivers directory
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-