General
-
Target
4a98c5bbf1a94992ec72858d3327a28e.bin
-
Size
1KB
-
Sample
241103-bltnqs1alb
-
MD5
83723797ff406ff445fbbd26a7798d7c
-
SHA1
3c9c8e467a36eaaae468d371155249961536144c
-
SHA256
6ceef930a62798d85c18182a92fb8fb22cedf20d6c6ac73f5e9fae2ff3856d9f
-
SHA512
6eceee687388d6b9e99d5ee967f11937900129eb7a1ba67918eabb67f717d23be68ee428cb0168a5d776950b573dba408b2eaaf207efee1f8795ea3ff0300006
Static task
static1
Behavioral task
behavioral1
Sample
184d7427be227ca0505c4baf5a9d3756534f399b052309e19ba819d06d03a543.lnk
Resource
win7-20240903-en
Malware Config
Extracted
http://45.149.241.169:5336/ghsjfsgfjsyhsfhzgbdfbgzgfb/yugygfyjsbdfoesrjfzbhffbserhbwdewbrtsnbdjkfbrhjgvghvhgvhgvhgvHfgcNchgfcnhchgchgcnGfcngcgdcngchcngch/jhbhfbjadhghjvgfcxhhfcjtgvkhdfskjdkbzhdfhmzdkydbfvhzdfjgvhzvg/tfvjtcfgchgcgcHcgcftjcgtygvgFtrdcjfcgkhvGcjfcxhfcjgVK/chfgcx.exe
Extracted
quasar
1.3.0.0
VTROY
31.13.224.12:61512
31.13.224.13:61513
QSR_MUTEX_4Q2rJqiVyC7hohzbjx
-
encryption_key
7Vp2dMCHrMjJthQ2Elyy
-
install_name
downloads.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
cssrse.exe
-
subdirectory
downloadupdates
Targets
-
-
Target
184d7427be227ca0505c4baf5a9d3756534f399b052309e19ba819d06d03a543.lnk
-
Size
2KB
-
MD5
4a98c5bbf1a94992ec72858d3327a28e
-
SHA1
0fa914c44bdcb63d3631d5ec30cebb5047d12c7a
-
SHA256
184d7427be227ca0505c4baf5a9d3756534f399b052309e19ba819d06d03a543
-
SHA512
e60fb58d1f141d3c2ea99bf39d3b0dd872bebc05efa0cfa630e783f4d90b624084988c66621adc4d7dc6434b1c707d1d6c7c1f36ee2fa2e36fefc47b9a7d6ba7
-
Quasar family
-
Quasar payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-