General
-
Target
3b91d7f0be55606bcdf71b37a18f34c298156b12181ff7c944fb7a1818916736N
-
Size
7.6MB
-
Sample
241007-fhmhgawhrm
-
MD5
2b0f4ed458655cb0dbc66cf2a1f6a650
-
SHA1
905121961d59b36a8eba46b02dcf9b48c68baae4
-
SHA256
3b91d7f0be55606bcdf71b37a18f34c298156b12181ff7c944fb7a1818916736
-
SHA512
1741a6881e9e9a24e8f4e50ee28dd9a00e47156ae987c4bd25348504dd669e2bd4f6685607275419dc7af42bbaa0ff53306a91bad892c2a508797a8fe9740fad
-
SSDEEP
196608:IiyGR6yx+w3u7zPJKqCyBDpQyNCD+l7ggmdzrK:IiHR6yx5uJKqCyfnNCigPZO
Behavioral task
behavioral1
Sample
3b91d7f0be55606bcdf71b37a18f34c298156b12181ff7c944fb7a1818916736N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3b91d7f0be55606bcdf71b37a18f34c298156b12181ff7c944fb7a1818916736N.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Built.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Built.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Client-built.exe
Resource
win7-20240903-en
Malware Config
Extracted
quasar
1.3.0.0
new
caidume1368.ddns.net:8848
QSR_MUTEX_7rJKh7823LOXhq62Ll
-
encryption_key
XOrsMOPj48itZ7EYR3g9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
SubDir
Targets
-
-
Target
3b91d7f0be55606bcdf71b37a18f34c298156b12181ff7c944fb7a1818916736N
-
Size
7.6MB
-
MD5
2b0f4ed458655cb0dbc66cf2a1f6a650
-
SHA1
905121961d59b36a8eba46b02dcf9b48c68baae4
-
SHA256
3b91d7f0be55606bcdf71b37a18f34c298156b12181ff7c944fb7a1818916736
-
SHA512
1741a6881e9e9a24e8f4e50ee28dd9a00e47156ae987c4bd25348504dd669e2bd4f6685607275419dc7af42bbaa0ff53306a91bad892c2a508797a8fe9740fad
-
SSDEEP
196608:IiyGR6yx+w3u7zPJKqCyBDpQyNCD+l7ggmdzrK:IiHR6yx5uJKqCyfnNCigPZO
-
Quasar payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
-
-
Target
Built.exe
-
Size
7.5MB
-
MD5
f6c1ca73d58bee19392afdf533bac4b3
-
SHA1
35e4a258a6f3834e7a3164d929b6333ba91ab9d9
-
SHA256
ea7ff4296f265854109ce36e1cd4e1d4b9afd94fe5d22392421da5b07c9f5e32
-
SHA512
714fdc94576245696b9c7948cc997a536380e54b5a2b2342321e3ef50ae8d413ab91c71774510defe28245b7e7d6d410905a76922cc3da4305c772a3043a8435
-
SSDEEP
196608:EjgVVEugwfI9jUC2gYBYv3vbW2+iITx1U6nu:XVVEu/IH2gYBgDWJTnzu
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
-
-
Target
Client-built.exe
-
Size
348KB
-
MD5
fa9b24d2daf3f8cf5e8fb84a4b0cd197
-
SHA1
03cfb24c35b7f79fd1ce716dd2402ca56d09a349
-
SHA256
f429a38b014770d38d3c95aca9e5169c6d2aee6731ae6dacf2b8d2911bdb0827
-
SHA512
987beefe76c56a58ff279ca08b5f702cdf5bfed3d64c47ef8c041b4a10f5dd9b475f1cbc856b3a0ae55c310bde67b672a70a11d5b961608910d7b22d2d5bc5b6
-
SSDEEP
6144:gN6bPXhLApfp04t/+qckvubgvbIRw/9fVng:0mhApTt/+ctvbiw/9flg
-
Quasar payload
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Process Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1