General
-
Target
86e6a56d03817c4369a67631d7eeca99a0a9b6b7635a1d159c9bc2263d7abad6.exe
-
Size
34KB
-
Sample
241120-fsyy9a1epg
-
MD5
9de372f748c4a9dd77ddbfb325c1a31d
-
SHA1
bef15c9f755dd25031424a63a07ec5ec8199c92e
-
SHA256
86e6a56d03817c4369a67631d7eeca99a0a9b6b7635a1d159c9bc2263d7abad6
-
SHA512
2b7f936be2afd76990a65c5f32bba350ce2b96b9a9c14b14190bf2fa3bced04953787eb12b7f17e600e3a9000328fdfeea851373a21e16919c874964039a83d7
-
SSDEEP
768:ZCB/mZMXnTgjjSxKSbG6d30tjRi2T5EXbOfq1lk7kbzP:ZIxTgh29d3KRXT5cbOt7knP
Static task
static1
Behavioral task
behavioral1
Sample
86e6a56d03817c4369a67631d7eeca99a0a9b6b7635a1d159c9bc2263d7abad6.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
86e6a56d03817c4369a67631d7eeca99a0a9b6b7635a1d159c9bc2263d7abad6.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
quasar
1.4.1
fontdrvhost
archerleet.duckdns.org:1862
92d56566-deb6-4133-9031-d3e24abe97f9
-
encryption_key
0971EF27DF92928DE49B97AC507E38E80FF68C6E
-
install_name
fontdrvhost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
fontdrvhost
-
subdirectory
Driver
Targets
-
-
Target
86e6a56d03817c4369a67631d7eeca99a0a9b6b7635a1d159c9bc2263d7abad6.exe
-
Size
34KB
-
MD5
9de372f748c4a9dd77ddbfb325c1a31d
-
SHA1
bef15c9f755dd25031424a63a07ec5ec8199c92e
-
SHA256
86e6a56d03817c4369a67631d7eeca99a0a9b6b7635a1d159c9bc2263d7abad6
-
SHA512
2b7f936be2afd76990a65c5f32bba350ce2b96b9a9c14b14190bf2fa3bced04953787eb12b7f17e600e3a9000328fdfeea851373a21e16919c874964039a83d7
-
SSDEEP
768:ZCB/mZMXnTgjjSxKSbG6d30tjRi2T5EXbOfq1lk7kbzP:ZIxTgh29d3KRXT5cbOt7knP
-
Quasar family
-
Quasar payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory
-