General
-
Target
Unitiy.bat
-
Size
328KB
-
Sample
240510-hnpacscd33
-
MD5
0ee7c57f11c57b122e268d622f5dacf7
-
SHA1
c8b8f2d4c5c2af87fce179b8149269a0a1f5d2f8
-
SHA256
5923602664aeb453ef6ec843060247a9385fc30f4c5b6e800f4c7c2fc6d4981a
-
SHA512
11ce15fb526918986493f94003f209da35fe3fff3204fce9b78aa726dfa1d78351fb83f3d21e42bb91409b51db44f7f27c4b8743ae05179dcd204ebb32597496
-
SSDEEP
6144:gmnSwi3zx5ZsDcPzqu65BeZ0qGs0ZODo9/vZdgK1uXVI:gm6zx5qYPzqd5hC0ZzuXVI
Static task
static1
Malware Config
Extracted
quasar
3.1.5
Slave
looking-memphis.gl.at.ply.gg:45119
$Sxr-3vDee7FzoJnhqjuE3n
-
encryption_key
bjv1MgUogo1kl6Tra7jd
-
install_name
$srr-powershell.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
$srr-powershell
-
subdirectory
Windows
Targets
-
-
Target
Unitiy.bat
-
Size
328KB
-
MD5
0ee7c57f11c57b122e268d622f5dacf7
-
SHA1
c8b8f2d4c5c2af87fce179b8149269a0a1f5d2f8
-
SHA256
5923602664aeb453ef6ec843060247a9385fc30f4c5b6e800f4c7c2fc6d4981a
-
SHA512
11ce15fb526918986493f94003f209da35fe3fff3204fce9b78aa726dfa1d78351fb83f3d21e42bb91409b51db44f7f27c4b8743ae05179dcd204ebb32597496
-
SSDEEP
6144:gmnSwi3zx5ZsDcPzqu65BeZ0qGs0ZODo9/vZdgK1uXVI:gm6zx5qYPzqd5hC0ZzuXVI
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-