General
-
Target
ImageLoggerV12.1.exe
-
Size
67.2MB
-
Sample
240426-vy77fahc71
-
MD5
b20331fa046509f76ceda8e27aeb77b6
-
SHA1
14c1ba0796eb3e96743b53c37bfb281483ba3df9
-
SHA256
5ec5e53e7ce7c77ae1c320e8342f4f341eb8cda9445bfd5d96d57a6b449ab2a5
-
SHA512
ecd77c9387bc2088be542b8be151e84fa710a414ccc6ea9a810aad968301d64ae004d5e721266a38d65993943bbcfd9b6a4200d6bd3f546d21df77e82fa01908
-
SSDEEP
786432:+IsHSlubkIuIiRBE5EXssNvKtQXXizbsjwAWMhirL2rskj+V8MiCKEa27pW3j0hX:uyjpIiRLhibvKS703gXrlx79mK+S
Static task
static1
Behavioral task
behavioral1
Sample
ImageLoggerV12.1.exe
Resource
win7-20240221-en
Malware Config
Extracted
quasar
1.4.1
Office04
NareReti-40382.portmap.host:40382
1f3547a3-6112-47d5-9c48-4fb1bd3d6344
-
encryption_key
CE886B4F24E457903274F7555F940215147255CD
-
install_name
CasNic.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Google Chrome
-
subdirectory
SubDir
Targets
-
-
Target
ImageLoggerV12.1.exe
-
Size
67.2MB
-
MD5
b20331fa046509f76ceda8e27aeb77b6
-
SHA1
14c1ba0796eb3e96743b53c37bfb281483ba3df9
-
SHA256
5ec5e53e7ce7c77ae1c320e8342f4f341eb8cda9445bfd5d96d57a6b449ab2a5
-
SHA512
ecd77c9387bc2088be542b8be151e84fa710a414ccc6ea9a810aad968301d64ae004d5e721266a38d65993943bbcfd9b6a4200d6bd3f546d21df77e82fa01908
-
SSDEEP
786432:+IsHSlubkIuIiRBE5EXssNvKtQXXizbsjwAWMhirL2rskj+V8MiCKEa27pW3j0hX:uyjpIiRLhibvKS703gXrlx79mK+S
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-