General
-
Target
serorox.zip
-
Size
15.8MB
-
Sample
240501-y8n34afh2t
-
MD5
e27ba230388a4a822fb48d12d3d7a906
-
SHA1
0d3ec02edbdbbd7e4e615d0663084c14a8e8b7bd
-
SHA256
cc4ddee264eb2d333ac1b95eb2243f7bc9699398c7f7cadd5cce1e4d7fc72c02
-
SHA512
d06d16289f1f714283ecd80f3c7cdcf5c90afb6a55df2283987f5791854d2ea55f04bf09a2c5e7ddb2e10cf00cb1eeff5f0fedc6f2ec5590a6e37323a4a99d3e
-
SSDEEP
393216:TnKgzRmCYe6kexg3P/Lwm00U9+9ge9rMkwHkMfZukCk7k:WCboxg3rwm0N9q9wkOxrI
Malware Config
Extracted
quasar
-
reconnect_delay
5000
Extracted
quasar
3.1.5
Slave
192.168.1.20:4782
$Sxr-3vDee7FzoJnhqjuE3n
-
encryption_key
LcVYe5IBs1GiJF6d5bmv
-
install_name
$srr-powershell.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
$srr-mstha
-
subdirectory
Windows
Targets
-
-
Target
serorox.zip
-
Size
15.8MB
-
MD5
e27ba230388a4a822fb48d12d3d7a906
-
SHA1
0d3ec02edbdbbd7e4e615d0663084c14a8e8b7bd
-
SHA256
cc4ddee264eb2d333ac1b95eb2243f7bc9699398c7f7cadd5cce1e4d7fc72c02
-
SHA512
d06d16289f1f714283ecd80f3c7cdcf5c90afb6a55df2283987f5791854d2ea55f04bf09a2c5e7ddb2e10cf00cb1eeff5f0fedc6f2ec5590a6e37323a4a99d3e
-
SSDEEP
393216:TnKgzRmCYe6kexg3P/Lwm00U9+9ge9rMkwHkMfZukCk7k:WCboxg3rwm0N9q9wkOxrI
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
AgentTesla payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-