General
-
Target
e83ed2446c4dcaea4dee212911c60040N.exe
-
Size
2.0MB
-
Sample
240814-gqmnwaxglc
-
MD5
e83ed2446c4dcaea4dee212911c60040
-
SHA1
939997535659c10cbf9aee8203466745475a1b69
-
SHA256
9a227f47f09d34808e5ccf5856bf8900ae72fdc777d1d9e51de3d3a9ada0ef25
-
SHA512
51b6d85dc84bf0f9df1f63f2e1ea76806fc4c7b9d96e928645d485bcc7b369fb4a7d49d7cccb286b4c483b3ae1ac8a6ab14a25503a2615059134a84c362aa9ff
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYr:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Y9
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Targets
-
-
Target
e83ed2446c4dcaea4dee212911c60040N.exe
-
Size
2.0MB
-
MD5
e83ed2446c4dcaea4dee212911c60040
-
SHA1
939997535659c10cbf9aee8203466745475a1b69
-
SHA256
9a227f47f09d34808e5ccf5856bf8900ae72fdc777d1d9e51de3d3a9ada0ef25
-
SHA512
51b6d85dc84bf0f9df1f63f2e1ea76806fc4c7b9d96e928645d485bcc7b369fb4a7d49d7cccb286b4c483b3ae1ac8a6ab14a25503a2615059134a84c362aa9ff
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYr:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Y9
Score10/10-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-