General
-
Target
9683ae49df4611b5c3bf4b64091490e0N.exe
-
Size
3.1MB
-
Sample
240820-py62gswekp
-
MD5
9683ae49df4611b5c3bf4b64091490e0
-
SHA1
cf5b51f57ef7f990c42d6d541d1c1e8a7015f70e
-
SHA256
0ee5e2f4649aed44cebe6872d5b7c18040aa22fbf21e1b5ca6bc3d4748f9b0cc
-
SHA512
9858f67cf0b77a33dca3fa6fb9adfc209c86c9b93cd325922c664e48637c9de318fd2f8097bd1a504ba36d3a64cc0b8653241d565e1dd994d0f76c860bf394d9
-
SSDEEP
49152:Gv2I22SsaNYfdPBldt698dBcjHsfRJ6VbR3LoGd3zTHHB72eh2NT:Gvb22SsaNYfdPBldt6+dBcjHsfRJ6n
Behavioral task
behavioral1
Sample
9683ae49df4611b5c3bf4b64091490e0N.exe
Resource
win7-20240704-en
Malware Config
Extracted
quasar
1.4.1
Alex
7.tcp.ngrok.io:21630
alexthedns.com:4444
7705a472-de11-422c-bb9d-a95b63236ca3
-
encryption_key
6DA001BD6C6276995240688DD6532A416FADB825
-
install_name
winrom.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
winrom.exe
-
subdirectory
winrom
Targets
-
-
Target
9683ae49df4611b5c3bf4b64091490e0N.exe
-
Size
3.1MB
-
MD5
9683ae49df4611b5c3bf4b64091490e0
-
SHA1
cf5b51f57ef7f990c42d6d541d1c1e8a7015f70e
-
SHA256
0ee5e2f4649aed44cebe6872d5b7c18040aa22fbf21e1b5ca6bc3d4748f9b0cc
-
SHA512
9858f67cf0b77a33dca3fa6fb9adfc209c86c9b93cd325922c664e48637c9de318fd2f8097bd1a504ba36d3a64cc0b8653241d565e1dd994d0f76c860bf394d9
-
SSDEEP
49152:Gv2I22SsaNYfdPBldt698dBcjHsfRJ6VbR3LoGd3zTHHB72eh2NT:Gvb22SsaNYfdPBldt6+dBcjHsfRJ6n
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-