General
-
Target
a034366648b01d614c154f3cbf371916be93bcd3f7a02a2b36209af355beaf79.exe
-
Size
2.6MB
-
Sample
241030-wwbwwszpfr
-
MD5
08d5869bc24d424f76b8b862fb4d3ece
-
SHA1
542bf39e63aba74891f9b25e3a602cd8e364d1ea
-
SHA256
a034366648b01d614c154f3cbf371916be93bcd3f7a02a2b36209af355beaf79
-
SHA512
afcc32c0af3d9bda5eddc4f69911a1aa2b6029a0b071ef81f22e109bdde68ab2638349f97d7f2d605f720c23c9964de95ea1a63beb85f4182c11a68576774aa0
-
SSDEEP
49152:cR0ZLQZ86dP3eKzjkGxE2KQKsVbr1ZjePG72Gq:rU1I2KQ95d72Gq
Static task
static1
Behavioral task
behavioral1
Sample
a034366648b01d614c154f3cbf371916be93bcd3f7a02a2b36209af355beaf79.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
a034366648b01d614c154f3cbf371916be93bcd3f7a02a2b36209af355beaf79.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
quasar
1.4.1
panel.o7lab.me
panel.o7lab.me:4782
service.o7lab.xyz:4782
underground-cheat.xyz:4782
service.o7lab.com.tr:4782
84f88b7e-fbb8-40b1-829a-206ff17d9f29
-
encryption_key
9D5D5E73AB412A75009506F89BC73714AF89F744
-
install_name
Client.exe
-
log_directory
WinLog
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
a034366648b01d614c154f3cbf371916be93bcd3f7a02a2b36209af355beaf79.exe
-
Size
2.6MB
-
MD5
08d5869bc24d424f76b8b862fb4d3ece
-
SHA1
542bf39e63aba74891f9b25e3a602cd8e364d1ea
-
SHA256
a034366648b01d614c154f3cbf371916be93bcd3f7a02a2b36209af355beaf79
-
SHA512
afcc32c0af3d9bda5eddc4f69911a1aa2b6029a0b071ef81f22e109bdde68ab2638349f97d7f2d605f720c23c9964de95ea1a63beb85f4182c11a68576774aa0
-
SSDEEP
49152:cR0ZLQZ86dP3eKzjkGxE2KQKsVbr1ZjePG72Gq:rU1I2KQ95d72Gq
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1