General
-
Target
a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe
-
Size
916KB
-
Sample
240629-b29pws1dlr
-
MD5
fb57053d7202dbaca1e71a649047597f
-
SHA1
b5c39ce77aa7c9a0f5f044eb887fb4baec3ce0db
-
SHA256
a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87
-
SHA512
fe4f64695c0121180b2a0829f82cee6de42170d17b34125f1ac0741580e58c1c282ea1bc5d1a0c8a3ae597f3e2dc014c8980416a2bfdcf30db98df984cf1ab43
-
SSDEEP
24576:tmkdueXjq0OQKc2YSEegpQRDLusJLK1lkyoLP:IkdueXjq0OQKc2YSEegpshk1lk
Behavioral task
behavioral1
Sample
a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe
Resource
win7-20231129-en
Malware Config
Extracted
quasar
2.8.0.1
backup
45.40.96.164:5552
4zqoNUTZKMvnLHkoUD
-
encryption_key
S2EJJjFXQqrAnFg7XBWE
-
install_name
Registry.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Hotels Client Startup
Targets
-
-
Target
a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87.exe
-
Size
916KB
-
MD5
fb57053d7202dbaca1e71a649047597f
-
SHA1
b5c39ce77aa7c9a0f5f044eb887fb4baec3ce0db
-
SHA256
a53a585de940ceb15a7b30f6d6157b0e9722d7b81cea4a2dadb1f0c7410fae87
-
SHA512
fe4f64695c0121180b2a0829f82cee6de42170d17b34125f1ac0741580e58c1c282ea1bc5d1a0c8a3ae597f3e2dc014c8980416a2bfdcf30db98df984cf1ab43
-
SSDEEP
24576:tmkdueXjq0OQKc2YSEegpQRDLusJLK1lkyoLP:IkdueXjq0OQKc2YSEegpshk1lk
-
Quasar payload
-
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects executables containing URLs to raw contents of a Github gist
-
Detects executables embedding command execution via IExecuteCommand COM object
-
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
-
Detects file containing reversed ASEP Autorun registry keys
-
detects Windows exceutables potentially bypassing UAC using eventvwr.exe
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-