General
-
Target
Update.exe
-
Size
20.4MB
-
Sample
240608-yz4gesff6w
-
MD5
88246c2a001042481486e559a6d10d91
-
SHA1
e64a646ba23b7795ec3dfb5ae4d80b02c7dd274f
-
SHA256
4a424271b9a191afc76110e2bccd45f23cc281853f223d3e27756e16c14b5019
-
SHA512
f3daab1877324bc8ac1f52bc9d1c7327230840fc53899aed47b69dd6b7e996cf3fde70c7efe209fa6fb9d80d58687abbd2f144a66e26de17b99b539d20f6e5ad
-
SSDEEP
393216:XlHpZSFSVTVyVSJXSUEJRnpyQnXUWJjv0xamVNA3guo9N:9p0FmyVSNSUE7npyQnkWJjv0DV23o
Static task
static1
Behavioral task
behavioral1
Sample
Update.exe
Resource
win10-20240404-en
Malware Config
Extracted
quasar
1.4.1
EmmasSub
85.23.24.170:4782
85.23.109.34:4782
82.128.254.93:4782
f82c7021-f558-4f6f-bbb3-fbe420c708e5
-
encryption_key
4DC093FC202D016F95DCEE92AAF2874F56ACC3F2
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
WindowsSecureManager
Targets
-
-
Target
Update.exe
-
Size
20.4MB
-
MD5
88246c2a001042481486e559a6d10d91
-
SHA1
e64a646ba23b7795ec3dfb5ae4d80b02c7dd274f
-
SHA256
4a424271b9a191afc76110e2bccd45f23cc281853f223d3e27756e16c14b5019
-
SHA512
f3daab1877324bc8ac1f52bc9d1c7327230840fc53899aed47b69dd6b7e996cf3fde70c7efe209fa6fb9d80d58687abbd2f144a66e26de17b99b539d20f6e5ad
-
SSDEEP
393216:XlHpZSFSVTVyVSJXSUEJRnpyQnXUWJjv0xamVNA3guo9N:9p0FmyVSNSUE7npyQnkWJjv0DV23o
-
Quasar payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-