General
-
Target
ArgonOSINT.exe
-
Size
409KB
-
Sample
240504-tctw9aad6t
-
MD5
c4f70954d48c8653fde31fc63c619fc8
-
SHA1
c2fe0bc4eab66f6cbf19ab3a80817eba8084982e
-
SHA256
dbc30b002dad39a45fdd36c509d854dc931662235886f01ec149cd8cf904ddb5
-
SHA512
1a0db425192d25f1e96ac43a5ae18ff530ef11e2f1526fd6677f4b82b04e212679c347f5647be0d72665e2f587c2824b19d2104c48546eb049ae27fb7470defc
-
SSDEEP
12288:UpyJcC+x6AoV5l+6KprKF/UV6u4W0pDs:kwd+mDsV6u4g
Malware Config
Extracted
quasar
3.1.5
Slave
even-lemon.gl.at.ply.gg:33587
$Sxr-3vDee7FzoJnhqjuE3n
-
encryption_key
BfQu2aop09VkjugTkmuc
-
install_name
$sxr-powershell.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
$sxr-powershell
-
subdirectory
Windows
Targets
-
-
Target
ArgonOSINT.exe
-
Size
409KB
-
MD5
c4f70954d48c8653fde31fc63c619fc8
-
SHA1
c2fe0bc4eab66f6cbf19ab3a80817eba8084982e
-
SHA256
dbc30b002dad39a45fdd36c509d854dc931662235886f01ec149cd8cf904ddb5
-
SHA512
1a0db425192d25f1e96ac43a5ae18ff530ef11e2f1526fd6677f4b82b04e212679c347f5647be0d72665e2f587c2824b19d2104c48546eb049ae27fb7470defc
-
SSDEEP
12288:UpyJcC+x6AoV5l+6KprKF/UV6u4W0pDs:kwd+mDsV6u4g
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-