General
-
Target
kadsfknads.exe
-
Size
409KB
-
Sample
240424-vta15sdg4z
-
MD5
f78f2794728287425cac9fb2df79d06f
-
SHA1
3aedd26e40f9b97b76d2ac6ead991af37dcc61eb
-
SHA256
653cbbfc7a0733f10923772348b001a25f8c6ddb76c5de60dc8652d8b267d985
-
SHA512
12c2897886ee4052daf27199bb61d98b11a100c42d47fcd00694feaf1aff181f76ad9cab381236548f765da6d43f821ddfaff06adc3e82a8b92407cdcaef0c1f
-
SSDEEP
6144:prBdcuIns7ixFO/MlAGq0l9RkRSl/HVvKIIUb8rfVou49SDZQC8lU:Cs7ixmMlAGHlH/H1KIIRCSDZQ9U
Behavioral task
behavioral1
Sample
kadsfknads.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
kadsfknads.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
quasar
3.1.5
Office04
147.185.221.19:33587
$Sxr-Y5UVaD4ms682Xx0mKC
-
encryption_key
cNsPUetVqJ8ENI534piu
-
install_name
DLLBOOSTRAPPER.exe
-
log_directory
Upd Error Logs
-
reconnect_delay
3000
-
startup_key
Windows 2H22 x64 2022
-
subdirectory
DllHoster
Targets
-
-
Target
kadsfknads.exe
-
Size
409KB
-
MD5
f78f2794728287425cac9fb2df79d06f
-
SHA1
3aedd26e40f9b97b76d2ac6ead991af37dcc61eb
-
SHA256
653cbbfc7a0733f10923772348b001a25f8c6ddb76c5de60dc8652d8b267d985
-
SHA512
12c2897886ee4052daf27199bb61d98b11a100c42d47fcd00694feaf1aff181f76ad9cab381236548f765da6d43f821ddfaff06adc3e82a8b92407cdcaef0c1f
-
SSDEEP
6144:prBdcuIns7ixFO/MlAGq0l9RkRSl/HVvKIIUb8rfVou49SDZQC8lU:Cs7ixmMlAGHlH/H1KIIRCSDZQ9U
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-