General
-
Target
thesigma.exe
-
Size
1.6MB
-
Sample
240422-wny2fsec91
-
MD5
7689437063c4eb4aab919fd25de6702d
-
SHA1
36252a4df082fef51b2a1ab07f771e17860986d1
-
SHA256
440271ab4c5959d7679fe00e6b223bcb8401a869e72d464cde8f880ff62f58da
-
SHA512
13b874366ae7c25ba70f79cc3bd36af8668f3a0c750696c149a8cc15ee6cb850b002612ee519188910884b391b41667f1b072dac2d7a3a44a265f25201c22145
-
SSDEEP
24576:0IjFRSPYlrMKgc6bN5WV63pDWWb6ohTLzeUtfjldLNvyvI:1jDaYlrM/NhLfdLNMI
Static task
static1
Malware Config
Extracted
quasar
3.1.5
Slave
nugget1234-38628.portmap.host:38628
$Sxr-AYc4tpo0KefMRW4CpM
-
encryption_key
O77hjXYiXiE656Wt67Lm
-
install_name
System.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
WindowsAudioHelper
-
subdirectory
Windows
Targets
-
-
Target
thesigma.exe
-
Size
1.6MB
-
MD5
7689437063c4eb4aab919fd25de6702d
-
SHA1
36252a4df082fef51b2a1ab07f771e17860986d1
-
SHA256
440271ab4c5959d7679fe00e6b223bcb8401a869e72d464cde8f880ff62f58da
-
SHA512
13b874366ae7c25ba70f79cc3bd36af8668f3a0c750696c149a8cc15ee6cb850b002612ee519188910884b391b41667f1b072dac2d7a3a44a265f25201c22145
-
SSDEEP
24576:0IjFRSPYlrMKgc6bN5WV63pDWWb6ohTLzeUtfjldLNvyvI:1jDaYlrM/NhLfdLNMI
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-