General
-
Target
a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840
-
Size
3.1MB
-
Sample
240423-cdvrhabd91
-
MD5
2c1fba8d6624adf6c582fb2d5fb43b28
-
SHA1
bd45ee984e9476d604824f83c6cf6111a9db2467
-
SHA256
a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840
-
SHA512
cc85b5f1c2765c49f34c236634dcbfdfd6cc62e0b954b74c12b0d89dc29044dff88a9840e5c02a39e140564283074c78359dd70dfc7f426daefb75f195f14e19
-
SSDEEP
49152:nvVG42pda6D+/PjlLOlg6yQipV6iRJ67bR3LoGdTqTHHB72eh2NT:nvM42pda6D+/PjlLOlZyQipV6iRJ6ND
Behavioral task
behavioral1
Sample
a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe
Resource
win7-20240221-en
Malware Config
Extracted
quasar
1.4.1
Office04
funlink.ddns.net:4444
quasarhost1.ddns.net:4444
c363b2f8-fc6a-4abd-a753-cff1aad2a173
-
encryption_key
CE5FBAC1A56C8C780C74FE8E7CD5CBCF8ABD6C8D
-
install_name
updale.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
windows av startup
-
subdirectory
SubDir
Targets
-
-
Target
a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840
-
Size
3.1MB
-
MD5
2c1fba8d6624adf6c582fb2d5fb43b28
-
SHA1
bd45ee984e9476d604824f83c6cf6111a9db2467
-
SHA256
a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840
-
SHA512
cc85b5f1c2765c49f34c236634dcbfdfd6cc62e0b954b74c12b0d89dc29044dff88a9840e5c02a39e140564283074c78359dd70dfc7f426daefb75f195f14e19
-
SSDEEP
49152:nvVG42pda6D+/PjlLOlg6yQipV6iRJ67bR3LoGdTqTHHB72eh2NT:nvM42pda6D+/PjlLOlZyQipV6iRJ6ND
-
Quasar payload
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables containing common artifacts observed in infostealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-