General
-
Target
Psloramyra.ps1.ps1
-
Size
2.1MB
-
Sample
241121-jh2tyavjam
-
MD5
032ea6f45fdd2fa1bd9b6cb5f425dc54
-
SHA1
aaac83baf4a939a4c3b9ff5a16dbcb472cab9592
-
SHA256
5cc8c3c4d011cdbe7306dfb8ba52b14909ed06db2c1a465c31cc59e6f532cb22
-
SHA512
222ca7941b7df2d2e4d7310a557cc6cdb43c33368d9632610b428b1a117a5c272504dae677216b678e4c65887f779f60078dd6096a1280aa834b1a3fcb97c379
-
SSDEEP
6144:ccVzJb1d4aU/hQVBJ2A7Is2Csr1l5mH9OdHUb3ngo1:v
Static task
static1
Behavioral task
behavioral1
Sample
Psloramyra.ps1
Resource
win7-20241010-en
Malware Config
Extracted
quasar
1.3.0.0
Office04
ronymahmoud.casacam.net:4782
seznam.hopto.org:4782
QSR_MUTEX_mn85pQSh0eqrA3kPek
-
encryption_key
EjggXOgdqRrj8wGQ7mTy
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
Psloramyra.ps1.ps1
-
Size
2.1MB
-
MD5
032ea6f45fdd2fa1bd9b6cb5f425dc54
-
SHA1
aaac83baf4a939a4c3b9ff5a16dbcb472cab9592
-
SHA256
5cc8c3c4d011cdbe7306dfb8ba52b14909ed06db2c1a465c31cc59e6f532cb22
-
SHA512
222ca7941b7df2d2e4d7310a557cc6cdb43c33368d9632610b428b1a117a5c272504dae677216b678e4c65887f779f60078dd6096a1280aa834b1a3fcb97c379
-
SSDEEP
6144:ccVzJb1d4aU/hQVBJ2A7Is2Csr1l5mH9OdHUb3ngo1:v
-
Quasar family
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-