General
-
Target
Client-built.exe
-
Size
3.1MB
-
Sample
241124-xzmy1a1kdm
-
MD5
d736427dd2ccd3f8a536d5cf69827f6f
-
SHA1
20db2442845c8559801de82434b3af89b6545c4a
-
SHA256
0463f6a7f96dd95ae2352e658a17210f6242fec676cacd4c9a8042e1b040560e
-
SHA512
822bdf46a2f950f42a8c17afe9cf1ca27685fb44e180966871df2f2da08b872a10e72e5c892b901d3c1a9f2421ed91ac14b452d0d87fff8146e3839740fb0112
-
SSDEEP
49152:fvvlL26AaNeWgPhlmVqvMQ7XSKPmEqf5P+rk/GLoGABTHHB72eh2NT:fv9L26AaNeWgPhlmVqkQ7XSKZqU
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240903-en
Malware Config
Extracted
quasar
1.4.1
Office04
Name1442-37611.portmap.host:37611
f21583dc-cd85-4a94-b7ea-858f2e9d6287
-
encryption_key
A43011D93D39774DA187A9FA7731DE56F484D345
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
xworm
127.0.0.1:37611
Name1442-37611.portmap.host:37611
-
Install_directory
%AppData%
-
install_file
svchost.exe
Targets
-
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
d736427dd2ccd3f8a536d5cf69827f6f
-
SHA1
20db2442845c8559801de82434b3af89b6545c4a
-
SHA256
0463f6a7f96dd95ae2352e658a17210f6242fec676cacd4c9a8042e1b040560e
-
SHA512
822bdf46a2f950f42a8c17afe9cf1ca27685fb44e180966871df2f2da08b872a10e72e5c892b901d3c1a9f2421ed91ac14b452d0d87fff8146e3839740fb0112
-
SSDEEP
49152:fvvlL26AaNeWgPhlmVqvMQ7XSKPmEqf5P+rk/GLoGABTHHB72eh2NT:fv9L26AaNeWgPhlmVqkQ7XSKZqU
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Quasar family
-
Quasar payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1