General
-
Target
python-3.12.3-amd64_protected.exe
-
Size
8.6MB
-
Sample
240519-zr7dsahf8w
-
MD5
328626049b23e7d5fbe12f9503853d53
-
SHA1
402ca69107944196f421a16ce3be363a0f4e991c
-
SHA256
96eb67eaf4d600885d149701f7b720f004a1646775a179e77e8706762405e921
-
SHA512
5425ef358018a66977e711bfa2a794c725bd153df5989cae52419115c981ce94cc15b6ae826c42d786aa3363151d9c051ae53407ab5e07fcc7365ef054b03c91
-
SSDEEP
196608:VGjSZs4BJq1Ey1FJrMwM/RAWOY+3uWjNyWte7c:VXZsI0F5MYYjWjM7c
Behavioral task
behavioral1
Sample
python-3.12.3-amd64_protected.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
python-3.12.3-amd64_protected.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
quasar
1.4.1
Python
5.39.43.50:1488
393fbc9d-531f-4025-b3f0-bed4d56f6ed3
-
encryption_key
1E01F0D74E189002EDB2FABC8EC064751C9D7A63
-
install_name
Python.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Python3
-
subdirectory
Python3
Targets
-
-
Target
python-3.12.3-amd64_protected.exe
-
Size
8.6MB
-
MD5
328626049b23e7d5fbe12f9503853d53
-
SHA1
402ca69107944196f421a16ce3be363a0f4e991c
-
SHA256
96eb67eaf4d600885d149701f7b720f004a1646775a179e77e8706762405e921
-
SHA512
5425ef358018a66977e711bfa2a794c725bd153df5989cae52419115c981ce94cc15b6ae826c42d786aa3363151d9c051ae53407ab5e07fcc7365ef054b03c91
-
SSDEEP
196608:VGjSZs4BJq1Ey1FJrMwM/RAWOY+3uWjNyWte7c:VXZsI0F5MYYjWjM7c
-
Quasar payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-