General
-
Target
17634226205.zip
-
Size
67.9MB
-
Sample
240606-qzqxbseg91
-
MD5
fb3798726fbd48cb7dce89e3dfb5ceac
-
SHA1
2f54d26c1f0b59fe52c8a53c040a90ad1b69c29a
-
SHA256
7b95a57099ef6c8a418678a323f5cc8e3065bd7e04d3f9fb9b3f66cb0a2e37ab
-
SHA512
a5e0dd293cf433f3ff2ead3e65345c4f97f8a3821c256fc465076b2ec4f7cc71b1e8163e0d0c8f3718e7c376e1788b83cc3139d0379d676edc78433d05342c1b
-
SSDEEP
1572864:VZlVxWT6uh1A8N6qJUMGg7JKRL8EcgUEu5EgoB3pCqmfTmBfvyJz80wnNU+:XQmuDndZWLHcgz2YZZmbmEJ40wnu+
Static task
static1
Behavioral task
behavioral1
Sample
3c3709b1034ea2023c6a40a2f2c66f27e63000b5f3f398ff11a71da44a2969ff.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3c3709b1034ea2023c6a40a2f2c66f27e63000b5f3f398ff11a71da44a2969ff.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
quasar
1.3.0.0
iSpring Suite
dragons.4cloud.click:1982
rAok3Bn91dJeJbDXOl
-
encryption_key
1KJfoF8pVLBGtN9uzB0i
-
install_name
Client.exe
-
log_directory
4K
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
3c3709b1034ea2023c6a40a2f2c66f27e63000b5f3f398ff11a71da44a2969ff
-
Size
69.1MB
-
MD5
9c0e635401b0bc6bb9f32bf61c831309
-
SHA1
1ba8408785b86eea68702003b200822f2b8768ad
-
SHA256
3c3709b1034ea2023c6a40a2f2c66f27e63000b5f3f398ff11a71da44a2969ff
-
SHA512
d8adf0313061d1f9a32bc00fbdc9f414cc117e2017101bdcba7da34a3b124d759fbc029d62eb62aa89a135b964e33610e62d3b7a90200126578f7e2687b4b870
-
SSDEEP
1572864:YVo7Cqx85SMJ/A/8Ww5XF6aC0TIOR6+m8YKF60K7H:6o21/AUB5XF8WIOR6+PO0KL
-
Quasar payload
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Registers COM server for autorun
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4