General
-
Target
$phantom-powershell.bat
-
Size
586KB
-
Sample
240607-tnabzsbh33
-
MD5
be2e3adcd233ea65761c8b188cc0206a
-
SHA1
2702edee993505b58bb094c6a996bcb67458252a
-
SHA256
0a8c7f13dde48266557795d9b15654f508fa30065740575b2f6be3c2f5b749d1
-
SHA512
7de6e0657eed64cc56bdb57ad6cb758ceeda61bbb44c63225ae29ad507d50b7e16cbff2abc2e994da03206593e47c7c858deb7e0698e322e391c37256cd2098a
-
SSDEEP
12288:RUepamz1Deupz8y/mG1RO4CD6UWFpbocRql3ymCW/MwUpdF8P1:Rfawek/mgR67/HIdF8P1
Static task
static1
Malware Config
Extracted
quasar
1.3.0.0
Zer0Spy
127.0.0.1:4782
QSR_MUTEX_9vwtyaiSuBr8jzh6yA
-
encryption_key
hDMI6Wy4P2AUTiZAh6a2
-
install_name
$phantom-powershell.exe
-
log_directory
$phantom-Logs
-
reconnect_delay
3000
-
startup_key
Windows PowerShell
-
subdirectory
$phantom-zer0spy2
Targets
-
-
Target
$phantom-powershell.bat
-
Size
586KB
-
MD5
be2e3adcd233ea65761c8b188cc0206a
-
SHA1
2702edee993505b58bb094c6a996bcb67458252a
-
SHA256
0a8c7f13dde48266557795d9b15654f508fa30065740575b2f6be3c2f5b749d1
-
SHA512
7de6e0657eed64cc56bdb57ad6cb758ceeda61bbb44c63225ae29ad507d50b7e16cbff2abc2e994da03206593e47c7c858deb7e0698e322e391c37256cd2098a
-
SSDEEP
12288:RUepamz1Deupz8y/mG1RO4CD6UWFpbocRql3ymCW/MwUpdF8P1:Rfawek/mgR67/HIdF8P1
-
Quasar payload
-
Blocklisted process makes network request
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-