General
-
Target
lnk.bat
-
Size
3.4MB
-
Sample
240821-ssftwszanm
-
MD5
e0b49da0d96e8c5214e9276be383177c
-
SHA1
acc2c37d489134c2186e95efaf7d3ea768a226f5
-
SHA256
081da7f15e7bd101ab50628a23ffa3f8464db8c6f858f5d40faa890166554e39
-
SHA512
b34944610642622ed45b1b09b4281e6d4b2f160c3b988aec2c254e2860cc1e5e40d6430057ea61fa323c8d99a32caeab50404c1d10baeb9a3b4bd12e6c068cee
-
SSDEEP
49152:iPZ9h8UbMrOvMl2axWm2aPRlAYydkm6uOwIM0A8Dqpb:C
Static task
static1
Behavioral task
behavioral1
Sample
lnk.bat
Resource
win7-20240704-en
Malware Config
Extracted
quasar
-
encryption_key
853F98C0E8F31E6FF0C780CC65F601689B6EF3FD
-
reconnect_delay
3000
Targets
-
-
Target
lnk.bat
-
Size
3.4MB
-
MD5
e0b49da0d96e8c5214e9276be383177c
-
SHA1
acc2c37d489134c2186e95efaf7d3ea768a226f5
-
SHA256
081da7f15e7bd101ab50628a23ffa3f8464db8c6f858f5d40faa890166554e39
-
SHA512
b34944610642622ed45b1b09b4281e6d4b2f160c3b988aec2c254e2860cc1e5e40d6430057ea61fa323c8d99a32caeab50404c1d10baeb9a3b4bd12e6c068cee
-
SSDEEP
49152:iPZ9h8UbMrOvMl2axWm2aPRlAYydkm6uOwIM0A8Dqpb:C
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-