General
-
Target
xMainDab.rar
-
Size
110KB
-
Sample
240602-s6qk9afh3v
-
MD5
da3cd4f40dbda9603d615420f1f03abf
-
SHA1
6536f4b774c84e94c449f2893adc5f53ecfe5ccb
-
SHA256
2d69da9d85e385e410a5934b936037add1b249396a3b21a1567e87770194197a
-
SHA512
01d40ab409fa3132412fa6bcf3e2c05cd0fa5b4b09a2e7ddb1a42e3900627b447501575c75be41ca8ed2ffb47e2a01856182a95dac947a5dfa7e2c847a26d2e4
-
SSDEEP
3072:4UHTSNVLu96rC7mB2ew697nwDdKonygRxXGLQKZ4nUK7Uh:4UHTELJkiG697wDdKodxXGMKZNt
Behavioral task
behavioral1
Sample
Install.cmd
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Install.cmd
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Loader.exe
Resource
win7-20240508-en
Malware Config
Extracted
quasar
1.4.0.0
Office
espinyskibidi-40205.portmap.host:40205
CdrjrrWbtRopP1ic7E
-
encryption_key
P2ctPN6uGReD4W1dEypm
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Client
-
subdirectory
Microsoft
Targets
-
-
Target
Install.cmd
-
Size
407B
-
MD5
d605e519c8fb10ecc49055af63c0f213
-
SHA1
a69b61879040aa541258035461260159ea51369a
-
SHA256
1452be84cfc1ea5aee5db2011fe8e2a5b72ff2fe637b77696d720734f58eac89
-
SHA512
304e8825d0afa6f7235859bb2083d728510d48806b06214225978592e8c4f8d065e1bcf3ca9eb39d4312b762a83e1054237d11cecbb3347ef4868bb4574b0e2b
-
Quasar payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
Loader.exe
-
Size
286KB
-
MD5
4e47b6257fa7e2221df20e6d9f7fc47a
-
SHA1
7d6116a578f51d87cad1efe9e5971c412eb769a9
-
SHA256
eeddf97a4c02250bdff26feba1085ff30277d2f71054cd32e8796554fffb23e6
-
SHA512
6e5e3d2e865fa2c2d229c70f7a10a3821316b91b7daa66ecdfea9dcc7275d30da56f56a90eb64fdbe603e0aa50d5d797c40a4877e48ab0328a6d6ebc06ddd532
-
SSDEEP
6144:OhVZx2zU1Ypil1TQxqhzu4nkhdVwbjJ1ybkWrrpo:ExT1tY4Idc1ybkWho
-
Quasar payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-