General
-
Target
IncognitoExecutorPro.exe
-
Size
10.1MB
-
Sample
240603-s8j69ace83
-
MD5
31bf96839daa9a6040bc08cdb08a14fb
-
SHA1
61b1b04ad917615bba369b269792df863c12658e
-
SHA256
2760a9f7cf2f6173b214a2309e2875a4ee1b6d301e2781ed1033dfbdc367e059
-
SHA512
f369cdf20cb44b0824f9a9ad2ade55c2eb068074af6470700d526a24f7b738062de67e7f05ee40a0641c5f193769502d59dd5167a4cf0e8f9c6f01ebeeddf56a
-
SSDEEP
196608:y6wZYKg9Sw7sghUuE1R1R9iVTdRUo/Rf7KG0ZLK+4eCA6Pt7R:5kwDh10RsFzUURTclC5t7
Behavioral task
behavioral1
Sample
IncognitoExecutorPro.exe
Resource
win7-20240221-en
Malware Config
Extracted
quasar
1.4.1
Office04
0.tcp.eu.ngrok.io:14456
2aabc0d2-2673-4473-9d8e-30b4863e718a
-
encryption_key
91137B461EAD4C8D03DB7ED595191162855E87F2
-
install_name
DRIVER32.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
DRIVER32
-
subdirectory
SYSWOW
Targets
-
-
Target
IncognitoExecutorPro.exe
-
Size
10.1MB
-
MD5
31bf96839daa9a6040bc08cdb08a14fb
-
SHA1
61b1b04ad917615bba369b269792df863c12658e
-
SHA256
2760a9f7cf2f6173b214a2309e2875a4ee1b6d301e2781ed1033dfbdc367e059
-
SHA512
f369cdf20cb44b0824f9a9ad2ade55c2eb068074af6470700d526a24f7b738062de67e7f05ee40a0641c5f193769502d59dd5167a4cf0e8f9c6f01ebeeddf56a
-
SSDEEP
196608:y6wZYKg9Sw7sghUuE1R1R9iVTdRUo/Rf7KG0ZLK+4eCA6Pt7R:5kwDh10RsFzUURTclC5t7
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-