General
-
Target
75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f
-
Size
6.0MB
-
Sample
240901-xmyvqsyhjp
-
MD5
cb5f90bc4f6b3efb5a8d8d96919922fb
-
SHA1
2957561a29587d510fd9a40e479416c80203cd6c
-
SHA256
75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f
-
SHA512
80d32637b5f660704b182c94a17a668aad0686b5fe3c7aa70dc66b1d9c7815d7e73ecbe29ce0cec09ce9ad421dce58f24a723d48acd4f2fa486fc913412dd027
-
SSDEEP
98304:Yvo1nQ0HP4N8GMZbAOr6/uWM3OY6vqQMOpoT4YOYDGAZfkSJJVjnhRD2wOMTjnXK:SoJQ+P4be9r3z6iQMuYDTKKDjnhpTLXK
Behavioral task
behavioral1
Sample
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
Resource
win7-20240708-en
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Targets
-
-
Target
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc
-
Size
6.1MB
-
MD5
03778d811f241e83ccad830372313b3c
-
SHA1
11962399abf7fc0981f324e4aa5271f36f50c5ba
-
SHA256
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc
-
SHA512
2e17b881491e2cc9759dde852198622956682327abcc20519ab7099e25b22252a167cd7a4e6e90651a8b44b22c89a52c8fd004a62043f8fa30fe523302f6674f
-
SSDEEP
98304:ulFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uWJuMg53HRVu7vHDpS1IqBRU7kCs2q
-
Quasar payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-