General
-
Target
06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
-
Size
16.7MB
-
Sample
241123-hnbn9szrd1
-
MD5
65e77040ed7d9dbbbbb65be5f8528b61
-
SHA1
22e5e40a62ebda8aae9f658d617888114ccc712f
-
SHA256
06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c
-
SHA512
b185ea47e46279938566febd61fe120d4255ae2ade08bf213edf477096bbafb244705208dfec28dabf1e19db85e85dea24880fdc8efd10b7fb05cd709c0b7236
-
SSDEEP
393216:urN50n4bwQq7t3J086sIB6ehAAJ2u653xVu7vHhqBa4Cs0:uka9ZPBxKJpHCpqBa4Cx
Behavioral task
behavioral1
Sample
06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Resource
win7-20240903-en
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Targets
-
-
Target
06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
-
Size
16.7MB
-
MD5
65e77040ed7d9dbbbbb65be5f8528b61
-
SHA1
22e5e40a62ebda8aae9f658d617888114ccc712f
-
SHA256
06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c
-
SHA512
b185ea47e46279938566febd61fe120d4255ae2ade08bf213edf477096bbafb244705208dfec28dabf1e19db85e85dea24880fdc8efd10b7fb05cd709c0b7236
-
SSDEEP
393216:urN50n4bwQq7t3J086sIB6ehAAJ2u653xVu7vHhqBa4Cs0:uka9ZPBxKJpHCpqBa4Cx
-
Quasar family
-
Quasar payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-