General
-
Target
CrackedWave.exe
-
Size
17.7MB
-
Sample
240723-lj9maazcpp
-
MD5
5d2ef5bc98a7c487c6a6b05a9e60db9c
-
SHA1
ff805987e2cf3a90d09ed4a32013a6e86344768c
-
SHA256
ecaceebf2b28b741603a75bbc8dce0f089b0d75314b2481c06534754a0e62517
-
SHA512
2fdbafbb48cc3713121e5215015be2727398f10e76575ffea63624ee303c60fbc388f734213c1aa75537374db96538bbf23c9939e4aa71784262f1ae2adb19bf
-
SSDEEP
393216:BfkZgLfrx0Lx8uOMpfo/nXlujARdGv4kHkzMmsW0W3WWRqusbMGCNFxHWy:lr+Lx8uOafgn1uj0dGv4fAjBZMGyFd
Static task
static1
Behavioral task
behavioral1
Sample
CrackedWave.exe
Resource
win11-20240709-en
Malware Config
Extracted
quasar
1.4.1
Steam
20.ip.gl.ply.gg:55257
15d4edb7-40c0-4a95-9dc8-8fe93071bce0
-
encryption_key
F1B995FFCFBEAA3218870A13F82413DC65D82218
-
install_name
Steam.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SteamClient
-
subdirectory
%appdata%
Targets
-
-
Target
CrackedWave.exe
-
Size
17.7MB
-
MD5
5d2ef5bc98a7c487c6a6b05a9e60db9c
-
SHA1
ff805987e2cf3a90d09ed4a32013a6e86344768c
-
SHA256
ecaceebf2b28b741603a75bbc8dce0f089b0d75314b2481c06534754a0e62517
-
SHA512
2fdbafbb48cc3713121e5215015be2727398f10e76575ffea63624ee303c60fbc388f734213c1aa75537374db96538bbf23c9939e4aa71784262f1ae2adb19bf
-
SSDEEP
393216:BfkZgLfrx0Lx8uOMpfo/nXlujARdGv4kHkzMmsW0W3WWRqusbMGCNFxHWy:lr+Lx8uOafgn1uj0dGv4fAjBZMGyFd
-
Detect Umbral payload
-
Quasar payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Hide Artifacts: Hidden Files and Directories
-