General
-
Target
Sexy.exe
-
Size
409KB
-
Sample
240421-vsrx9sfg88
-
MD5
4c5faec89139e079202a5208d49ed5a0
-
SHA1
f26bf551e191af0dd01b5d39ae0c8489d94a877e
-
SHA256
bbecd1e502693965f493ecb6a611dd86dc71b4bcb8471cf4c459d0b44e9f6378
-
SHA512
5d31a95a76a2d17967f685b47823682f8301164ee9386f267f2ce28b866429dfb48aa7ef7cb21a7ab8b732286fb99eee989d10e5040ea69a361ba83b0b22ec64
-
SSDEEP
12288:iBwz9kOUJIOSQoxdKIT00N2f3DPcCYDVouW5:i+JLOsVRi3YCYg
Behavioral task
behavioral1
Sample
Sexy.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
quasar
3.1.5
SLAVE
147.185.221.19:33587
$Sxr-zpFqsQjJJh3miBvVnu
-
encryption_key
LxGS9iJRjIMm1rV0MEzT
-
install_name
BiosUpdX64YDPS.exe
-
log_directory
$sxr
-
reconnect_delay
3000
-
startup_key
$sxr-mtsha
-
subdirectory
Windows
Targets
-
-
Target
Sexy.exe
-
Size
409KB
-
MD5
4c5faec89139e079202a5208d49ed5a0
-
SHA1
f26bf551e191af0dd01b5d39ae0c8489d94a877e
-
SHA256
bbecd1e502693965f493ecb6a611dd86dc71b4bcb8471cf4c459d0b44e9f6378
-
SHA512
5d31a95a76a2d17967f685b47823682f8301164ee9386f267f2ce28b866429dfb48aa7ef7cb21a7ab8b732286fb99eee989d10e5040ea69a361ba83b0b22ec64
-
SSDEEP
12288:iBwz9kOUJIOSQoxdKIT00N2f3DPcCYDVouW5:i+JLOsVRi3YCYg
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-