General
-
Target
a968f7738c801b8528bb717d3928ee75523833a882bdbc4b03bdc6e8ad4cb41a
-
Size
9.2MB
-
Sample
240514-tmrjwaec44
-
MD5
49d267c77ead1c3fa6771fbc66a8b6af
-
SHA1
3d0cc3050c586be7fb30dc34b79578f139bf8f53
-
SHA256
a968f7738c801b8528bb717d3928ee75523833a882bdbc4b03bdc6e8ad4cb41a
-
SHA512
8e2f9d9258867e648d26d359061239cccebe6669daaf57a843e53d2049e6176f944e8576ff33ac0c71f9183c49e44e1f51489718962a33d9e8a155d26fdbd7f0
-
SSDEEP
196608:lf8wZFR/l+SbRZEs4O/kNOqjoVq+4UIThroTj74d1m8qQKL+37OJ5Pi:lkI7/l+SbRZq8cORq+EThhdvLrQ5q
Behavioral task
behavioral1
Sample
268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe
Resource
win7-20240221-en
Malware Config
Extracted
discordrat
-
discord_token
MTE5ODg5OTYxNjc0MjEyNTYxOQ.GnQUlc.09G3jOrvsBUkj3tHkQPTbGic1sDnwN7xUFlV3o
-
server_id
1201324675507171409
Extracted
quasar
1.4.1
R3
96.42.209.236:1111
fad4f0a7-8090-44d7-960d-b61c56ece71bz
-
encryption_key
D280B26CAD37534E7E290E5D4BC1809E0C214936
-
install_name
Shadow.exe
-
log_directory
Logs
-
reconnect_delay
1
-
startup_key
Shadow
-
subdirectory
SubDir
Targets
-
-
Target
268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe
-
Size
11.4MB
-
MD5
2f3b5b60129dc43350bc54e67d59a4ac
-
SHA1
08cdc5d4d0628c619897bf465f279f7d30d42b9f
-
SHA256
268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0
-
SHA512
725593bf2587bd1c2a8c5be02c168ad739010118f68606df1234a0aa1c31f582556a0139539f3068e7f174cd516956be608d05c6a597720138556a8a606fb749
-
SSDEEP
196608:+XeSEzpCQdLjv+bhqNVoB8Ck5c7GpNlpq41J2mrl0bk9qtlDfJpNZYXz:q4PL+9qz88Ck+7q3p91JNRqfg
-
Quasar payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Drops file in System32 directory
-