General
-
Target
Loli.bat
-
Size
3.8MB
-
Sample
240611-gf456swgnd
-
MD5
e4889d99388cceea3c907355304aae89
-
SHA1
eb257905a6b26999c8669b2dfd6514cbb58dbc24
-
SHA256
212041e0721657d19e29bf71ee058b9b0758adb113440aefac2275eab673440d
-
SHA512
dd2b2eeec89efbd64c3d38a1d767285bfe0fce5d63c0bd526d1638a4b05c85b77f61023dac7e3c3ea4c5e83673b1c43fbed3c9ab006783c185a6a4374d088a32
-
SSDEEP
49152:uQY5eZkygGG7xcLoUZvL/eEBeQOoKB5BQD8WChHHdxFh:W
Static task
static1
Malware Config
Extracted
quasar
-
encryption_key
E2FB9900B23756E2DDF30B24E44B0961BA7B0F9C
-
reconnect_delay
3000
Targets
-
-
Target
Loli.bat
-
Size
3.8MB
-
MD5
e4889d99388cceea3c907355304aae89
-
SHA1
eb257905a6b26999c8669b2dfd6514cbb58dbc24
-
SHA256
212041e0721657d19e29bf71ee058b9b0758adb113440aefac2275eab673440d
-
SHA512
dd2b2eeec89efbd64c3d38a1d767285bfe0fce5d63c0bd526d1638a4b05c85b77f61023dac7e3c3ea4c5e83673b1c43fbed3c9ab006783c185a6a4374d088a32
-
SSDEEP
49152:uQY5eZkygGG7xcLoUZvL/eEBeQOoKB5BQD8WChHHdxFh:W
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-