Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N
-
Size
9KB
-
Sample
240930-2nlzsasfld
-
MD5
a9ee41f13671a27306e8a3e1dd16d8c0
-
SHA1
75b9c920227278bdf387fc029c6547442fd2aeee
-
SHA256
ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70
-
SHA512
82a97a4376f6a7096518467067d0066385cda0edb6d5480136ba0b706fdf57edb69bdafe1233d8fd99c0aa4c16618206f636a52d7271a6a2b8ccb80b78d34186
-
SSDEEP
96:tDM/Qfwt9LSwlo7s5XjL3EOLSrLXSfcgQWChThghThGJ6cseaB4KWsJP/LyNlQzj:5MkKLSgNTL3pLSrLCNM6caB4KZuly
Static task
static1
Behavioral task
behavioral1
Sample
ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe
Resource
win7-20240903-en
Malware Config
Extracted
quasar
1.4.1
Hacked
1.tcp.sa.ngrok.io:20545
11be2b79-6682-4e70-8daf-902c6a4c9c43
-
encryption_key
5E9246C5AB842E866E54BCF3379BFBE1677545A8
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N
-
Size
9KB
-
MD5
a9ee41f13671a27306e8a3e1dd16d8c0
-
SHA1
75b9c920227278bdf387fc029c6547442fd2aeee
-
SHA256
ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70
-
SHA512
82a97a4376f6a7096518467067d0066385cda0edb6d5480136ba0b706fdf57edb69bdafe1233d8fd99c0aa4c16618206f636a52d7271a6a2b8ccb80b78d34186
-
SSDEEP
96:tDM/Qfwt9LSwlo7s5XjL3EOLSrLXSfcgQWChThghThGJ6cseaB4KWsJP/LyNlQzj:5MkKLSgNTL3pLSrLCNM6caB4KZuly
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-