General
-
Target
R0X-Built.exe
-
Size
409KB
-
Sample
240501-vtbyfabh9y
-
MD5
2812f62b21fe2118e1259169e015b054
-
SHA1
e96a2077f063b0c5fc9708f9c1e89283999e4211
-
SHA256
c2fac5230442f151a25ac8b3765caa659ecfe9e32e4e45e6e8097365a9a14436
-
SHA512
bf5e18186402fcfd5dcd79bbbbe382ff9754e69098b6477dcef8cb3d69d71d67857fe6caf2362ed14aaf79412afb396a0f829a44335b31b7497ce0f690bb2aa2
-
SSDEEP
6144:cMP9p1kREG60olVji9QzNg/IiSjFqBFK6WbMN6Y44vZqJBWAb7yMTj:XpiREGJ2ji9QyAhK/N6gBqJBj7yMTj
Malware Config
Extracted
quasar
3.1.5
Slave
192.168.1.20:4782
localhost:4782
$Sxr-3vDee7FzoJnhqjuE3n
-
encryption_key
hwZQsCIcvotNKosjYueb
-
install_name
$srr-powershell.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
$srr-mstha
-
subdirectory
Windows
Targets
-
-
Target
R0X-Built.exe
-
Size
409KB
-
MD5
2812f62b21fe2118e1259169e015b054
-
SHA1
e96a2077f063b0c5fc9708f9c1e89283999e4211
-
SHA256
c2fac5230442f151a25ac8b3765caa659ecfe9e32e4e45e6e8097365a9a14436
-
SHA512
bf5e18186402fcfd5dcd79bbbbe382ff9754e69098b6477dcef8cb3d69d71d67857fe6caf2362ed14aaf79412afb396a0f829a44335b31b7497ce0f690bb2aa2
-
SSDEEP
6144:cMP9p1kREG60olVji9QzNg/IiSjFqBFK6WbMN6Y44vZqJBWAb7yMTj:XpiREGJ2ji9QyAhK/N6gBqJBj7yMTj
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-