General
-
Target
Uni.bat
-
Size
409KB
-
Sample
240510-hycdjsch73
-
MD5
f8f7e612c70c0cfb734e0a8b47ecff5a
-
SHA1
55daed611f6a5d7f3e46b6ad1c1ef125fe7ab37d
-
SHA256
baa1d7de5d93fade36fa20d98d3c0466198a129bebd17302f5f5d8ae03779bda
-
SHA512
38300f170b9464098312f36ae2e43d510dfd7ec6508f29fd50dd6dd65c1ba64804e4d341eb31f49b816383e4cb80d8ae1bf4ab3de6829acc0ca4e9148c970233
-
SSDEEP
6144:zMu9p1kREG60oljWsIgingBbx7SxSphehObnD4xZEzLkf2HOZzkShh1jFJVY/:VpiREGJtsIgith5xKvkf2uZzDPjFc/
Malware Config
Extracted
quasar
3.1.5
slave
looking-memphis.gl.at.ply.gg:45119
$Sxr-xwY9ZOTOHsQiE2cIYc
-
encryption_key
BkqeT44kDiMZNIFpwpqf
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
Uni.bat
-
Size
409KB
-
MD5
f8f7e612c70c0cfb734e0a8b47ecff5a
-
SHA1
55daed611f6a5d7f3e46b6ad1c1ef125fe7ab37d
-
SHA256
baa1d7de5d93fade36fa20d98d3c0466198a129bebd17302f5f5d8ae03779bda
-
SHA512
38300f170b9464098312f36ae2e43d510dfd7ec6508f29fd50dd6dd65c1ba64804e4d341eb31f49b816383e4cb80d8ae1bf4ab3de6829acc0ca4e9148c970233
-
SSDEEP
6144:zMu9p1kREG60oljWsIgingBbx7SxSphehObnD4xZEzLkf2HOZzkShh1jFJVY/:VpiREGJtsIgith5xKvkf2uZzDPjFc/
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-