General
-
Target
632ebbd71c57497b70d5d0d270737706af23a00a789c7b53c13110252a35ba7d.exe
-
Size
1.0MB
-
Sample
240821-mfe4yashpe
-
MD5
dff805106f7e22c65887f4b40ae63af7
-
SHA1
9deda5715cfd27bce5d07e8c9da3888652239030
-
SHA256
632ebbd71c57497b70d5d0d270737706af23a00a789c7b53c13110252a35ba7d
-
SHA512
43c1bacfb18a767ca9f7d8ca34ab964abde0cb026d34c29adcc2d70f52b9e4055cfaf8c2d4f2ee9079ba3cc11fa4d3dc62d2ece9a624c6cb19db5ffed0c563d3
-
SSDEEP
24576:uHMwUDPHMYHM62oEHMxszlt0que+gl02xJ/7UbPv5LvE9HM:yI7bwoYzv0B2lxJjuPWd
Static task
static1
Behavioral task
behavioral1
Sample
632ebbd71c57497b70d5d0d270737706af23a00a789c7b53c13110252a35ba7d.exe
Resource
win7-20240704-en
Malware Config
Extracted
quasar
1.3.0.0
Image1
onemilliondollars.duckdns.org:4781
185.165.153.138:4781
fivemilliondollars.duckdns.org:4781
MUTEX_hcyE6Pmu2wtUGYAlgy
-
encryption_key
5f9oz3a4d9d5TlQM1xmm
-
install_name
winlog.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Intel Corpration
-
subdirectory
SubDir
Targets
-
-
Target
632ebbd71c57497b70d5d0d270737706af23a00a789c7b53c13110252a35ba7d.exe
-
Size
1.0MB
-
MD5
dff805106f7e22c65887f4b40ae63af7
-
SHA1
9deda5715cfd27bce5d07e8c9da3888652239030
-
SHA256
632ebbd71c57497b70d5d0d270737706af23a00a789c7b53c13110252a35ba7d
-
SHA512
43c1bacfb18a767ca9f7d8ca34ab964abde0cb026d34c29adcc2d70f52b9e4055cfaf8c2d4f2ee9079ba3cc11fa4d3dc62d2ece9a624c6cb19db5ffed0c563d3
-
SSDEEP
24576:uHMwUDPHMYHM62oEHMxszlt0que+gl02xJ/7UbPv5LvE9HM:yI7bwoYzv0B2lxJjuPWd
-
Quasar payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-