General
-
Target
svchost.exe
-
Size
409KB
-
Sample
240606-n6z3gadh21
-
MD5
499ab44b3be0e431ee482c016f423b2f
-
SHA1
8f3fc11724012b202a6e78211a7bf4e323edb53f
-
SHA256
6f9865911d6878366ce10e06b5e5a6b04897df18c1c3ebfb73de573467720fb7
-
SHA512
54b2612624b4310d8e0c1f571a7b7a10fb2948eed9929b7fed50a8b10155ef10c541e1239c59a75e179c0705b9d27a770f5d37b8c254b00c659f1af3c5d55309
-
SSDEEP
6144:xMs9p1kREG60olUijSoNDu3MH6FFIUk6SsFbP7UIYQkG19asz6+MQ6M:dpiREGJHijSomjIoft7UIYxGHdmQ6M
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
svchost.exe
Resource
win11-20240426-en
Malware Config
Extracted
quasar
3.1.5
SeroXen | v3.1.5 |
dating-mpegs.gl.at.ply.gg:6566
$Sxr-jy6vh8CtEJL5ceZuIb
-
encryption_key
Nj2uU7r8zbApMgWfD7rz
-
install_name
$sxr-powershell.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
Powershell
-
subdirectory
$sxr-seroxen2
Targets
-
-
Target
svchost.exe
-
Size
409KB
-
MD5
499ab44b3be0e431ee482c016f423b2f
-
SHA1
8f3fc11724012b202a6e78211a7bf4e323edb53f
-
SHA256
6f9865911d6878366ce10e06b5e5a6b04897df18c1c3ebfb73de573467720fb7
-
SHA512
54b2612624b4310d8e0c1f571a7b7a10fb2948eed9929b7fed50a8b10155ef10c541e1239c59a75e179c0705b9d27a770f5d37b8c254b00c659f1af3c5d55309
-
SSDEEP
6144:xMs9p1kREG60olUijSoNDu3MH6FFIUk6SsFbP7UIYQkG19asz6+MQ6M:dpiREGJHijSomjIoft7UIYxGHdmQ6M
Score10/10-
Quasar payload
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-