General
-
Target
SMTPChecker.exe
-
Size
23.1MB
-
Sample
241123-t1htwsxqbs
-
MD5
b2d4138a7cbb8b3e02d9f61c76f31f18
-
SHA1
629dfd6d138fe6a9ff0492a63ef1ce0bd5356c6c
-
SHA256
eabb7c5d04a447b6af835c375f9e5535fa1250f5ae976686048bf4bc9766612f
-
SHA512
f9cc089193c91f603f0ed6f47f84fa7483344268a88b2bfdaa8914e5e9f07af84ab206bd621272718eaca8a3babdceeaf58cd25197b24adfc0cede6f3933c988
-
SSDEEP
393216:ZSzcigXdH1z88oOJOVyRzVOrRS1/Q1NeJ42Mjck4GREfMfoPwY74HpC1P5aw:mVgc8hJO4wK/EdcsEfQobeM6
Static task
static1
Behavioral task
behavioral1
Sample
SMTPChecker.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
quasar
1.4.0.0
Office
45.200.149.95:6669
6HcAGCOypVIi6hl6rR
-
encryption_key
3Fmq36RtzQkpmjAWxAFM
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
DISC
-
subdirectory
SubDir
Targets
-
-
Target
SMTPChecker.exe
-
Size
23.1MB
-
MD5
b2d4138a7cbb8b3e02d9f61c76f31f18
-
SHA1
629dfd6d138fe6a9ff0492a63ef1ce0bd5356c6c
-
SHA256
eabb7c5d04a447b6af835c375f9e5535fa1250f5ae976686048bf4bc9766612f
-
SHA512
f9cc089193c91f603f0ed6f47f84fa7483344268a88b2bfdaa8914e5e9f07af84ab206bd621272718eaca8a3babdceeaf58cd25197b24adfc0cede6f3933c988
-
SSDEEP
393216:ZSzcigXdH1z88oOJOVyRzVOrRS1/Q1NeJ42Mjck4GREfMfoPwY74HpC1P5aw:mVgc8hJO4wK/EdcsEfQobeM6
-
Quasar family
-
Quasar payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Hide Artifacts: Hidden Files and Directories
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-