General
-
Target
d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
-
Size
797KB
-
Sample
241030-d137tstrfz
-
MD5
7ea9f823d613c41364ebb2d1d0a6189a
-
SHA1
4f419b26a5c1c9bf6ef7bd3c2aeb753490c0bd5b
-
SHA256
d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1
-
SHA512
d9d2898c90c8420ea1d0b4b75964b0f40f3d89651be36b37f9e2918f982bd08b3ebffd4455078e69c904959705e675c40d5a57f3c0686cc79ab375ef2ac5f4de
-
SSDEEP
12288:q6K0egDGMTCm4Nj9XuVIxlJY0RJFHV0ea8d1xxHiU78Ejy2QHPlvrqfmhemL11xI:qJ0eoLTCZNjQmfJpXHjHoDfW4eqhgP
Static task
static1
Behavioral task
behavioral1
Sample
d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
Resource
win7-20240903-en
Malware Config
Extracted
quasar
1.3.0.0
HTROY
87.120.116.115:61510
onadeatcamsides.sytes.net:61511
QSR_MUTEX_ZAU4jFZ758CCGtDmef
-
encryption_key
rK1SiSuzs11zCQEpJeMg
-
install_name
Updates.exe
-
log_directory
Logs
-
reconnect_delay
30000
-
startup_key
NewUpdates
-
subdirectory
Mindow
Targets
-
-
Target
d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1.exe
-
Size
797KB
-
MD5
7ea9f823d613c41364ebb2d1d0a6189a
-
SHA1
4f419b26a5c1c9bf6ef7bd3c2aeb753490c0bd5b
-
SHA256
d36fc52419dca76775f2efd8cd57a60e55f5f412929ce1f5ab8f758fc0366db1
-
SHA512
d9d2898c90c8420ea1d0b4b75964b0f40f3d89651be36b37f9e2918f982bd08b3ebffd4455078e69c904959705e675c40d5a57f3c0686cc79ab375ef2ac5f4de
-
SSDEEP
12288:q6K0egDGMTCm4Nj9XuVIxlJY0RJFHV0ea8d1xxHiU78Ejy2QHPlvrqfmhemL11xI:qJ0eoLTCZNjQmfJpXHjHoDfW4eqhgP
-
Quasar family
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-