General
-
Target
Update.exe
-
Size
409KB
-
Sample
240421-vvdtesfh36
-
MD5
93cd801b9e5e90edab480d3c1c135271
-
SHA1
b0c7e918ade7a47916603ebd9eb1e3b4d78062c2
-
SHA256
89996d761395b9e79589c4c7c93cc21ae2b5a00a9ba8c46abbf395954f3d0133
-
SHA512
a5e207744fcb100fb24935ecda4c4214ac4cc7aca666b589fa1c451f1ad24c5a573cfe1b8150ac5510a866bb800251aa6ebf3fd685ed7a2e5fbc482791e143ed
-
SSDEEP
6144:0rBUymyfpwzeiqv6Ef3RB17bdzjyue7zKINbuz2vcDJ8vtVQY:eBwz9/Ef3RB17FyuYKIQXDJ8vtCY
Behavioral task
behavioral1
Sample
Update.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Update.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
quasar
3.1.5
SLAVE
147.185.221.19:33587
$Sxr-zpFqsQjJJh3miBvVnu
-
encryption_key
w1TSUMSbvOFQ9whpYTwH
-
install_name
BiosUpdX64YDPS.exe
-
log_directory
$sxr
-
reconnect_delay
3000
-
startup_key
$sxr-mtsha
-
subdirectory
Windows
Targets
-
-
Target
Update.exe
-
Size
409KB
-
MD5
93cd801b9e5e90edab480d3c1c135271
-
SHA1
b0c7e918ade7a47916603ebd9eb1e3b4d78062c2
-
SHA256
89996d761395b9e79589c4c7c93cc21ae2b5a00a9ba8c46abbf395954f3d0133
-
SHA512
a5e207744fcb100fb24935ecda4c4214ac4cc7aca666b589fa1c451f1ad24c5a573cfe1b8150ac5510a866bb800251aa6ebf3fd685ed7a2e5fbc482791e143ed
-
SSDEEP
6144:0rBUymyfpwzeiqv6Ef3RB17bdzjyue7zKINbuz2vcDJ8vtVQY:eBwz9/Ef3RB17FyuYKIQXDJ8vtCY
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-