General
-
Target
Token Generator.bat
-
Size
3.5MB
-
Sample
240527-15c8jada67
-
MD5
e984ebea899379a8c0a47f9308c7370b
-
SHA1
863330006bef4c55a1bc79771ae989dc0412f717
-
SHA256
9f413ae8218ec74eb61a052e1c2b8b27f8ee7038902db5aaea9c93e0752fa48b
-
SHA512
70934def86e93b350e72711e757cbe0a97a9a58259f184e2c97aeea3a2b9f016bb03e4fb499f3876248bfb43edec5e3949599448d95235afcb1b46d71362b975
-
SSDEEP
49152:HgquNH3RLlp72pnTcrwIBX1F2A5LzeuUxZ3u3AnCH4El0oKYlL:HY
Static task
static1
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
1.4.1
Token Gen
uk2.localto.net:6103
0c14e9f2-6918-4e50-8463-04ad871c1e3d
-
encryption_key
6BE0D74806BB58E6DB21FA6E3B6DB38B4A72BAFC
-
install_name
$77-powershell.exe
-
log_directory
$77-Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
$77-Rootkit
Targets
-
-
Target
Token Generator.bat
-
Size
3.5MB
-
MD5
e984ebea899379a8c0a47f9308c7370b
-
SHA1
863330006bef4c55a1bc79771ae989dc0412f717
-
SHA256
9f413ae8218ec74eb61a052e1c2b8b27f8ee7038902db5aaea9c93e0752fa48b
-
SHA512
70934def86e93b350e72711e757cbe0a97a9a58259f184e2c97aeea3a2b9f016bb03e4fb499f3876248bfb43edec5e3949599448d95235afcb1b46d71362b975
-
SSDEEP
49152:HgquNH3RLlp72pnTcrwIBX1F2A5LzeuUxZ3u3AnCH4El0oKYlL:HY
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-