General
-
Target
main1.bat
-
Size
15KB
-
Sample
241122-a5w3ja1jgw
-
MD5
837e6e693eab2459822a681dd8829347
-
SHA1
77417d665e66ae2f962f52b3d7c916f0772f0615
-
SHA256
57970a3c842bcaf6860a9d271b2725b08fc07a50ca18ff852983d8e80905a0c7
-
SHA512
54f3d0f4a69d785dd6012f5376d131f3d4cdfa1885577c46468bf1e37aed1d7da86cc11b7efcddf53eede8a4803a16e14c008493404906e3b870ccd441278a48
-
SSDEEP
384:wK1+KSlKC8kumFq/vM2pHz6YBM3P6QDSJO4ytvJ2/N2cGTuEhckk7VgFHbWvaPn0:wK1+KSlKC8++vM23b+CJXPn
Static task
static1
Behavioral task
behavioral1
Sample
main1.bat
Resource
win7-20240903-en
Malware Config
Extracted
quasar
1.4.1
bot
wooting2000-47095.portmap.host:47095
2e05f1ef-743b-4020-b18a-7f4276517e8b
-
encryption_key
E83D6FC31962786DAEA703F111D2381786DF06CA
-
install_name
Modification1.5.14.12.exe
-
log_directory
Logs
-
reconnect_delay
3126
-
startup_key
explorer.dll
-
subdirectory
SubDir
Targets
-
-
Target
main1.bat
-
Size
15KB
-
MD5
837e6e693eab2459822a681dd8829347
-
SHA1
77417d665e66ae2f962f52b3d7c916f0772f0615
-
SHA256
57970a3c842bcaf6860a9d271b2725b08fc07a50ca18ff852983d8e80905a0c7
-
SHA512
54f3d0f4a69d785dd6012f5376d131f3d4cdfa1885577c46468bf1e37aed1d7da86cc11b7efcddf53eede8a4803a16e14c008493404906e3b870ccd441278a48
-
SSDEEP
384:wK1+KSlKC8kumFq/vM2pHz6YBM3P6QDSJO4ytvJ2/N2cGTuEhckk7VgFHbWvaPn0:wK1+KSlKC8++vM23b+CJXPn
-
Quasar family
-
Quasar payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-