General
-
Target
liberium executor.exe
-
Size
3.1MB
-
Sample
241201-1ccrasxmfq
-
MD5
a83c74ddda692ff3e4279ef4d1e1ab6b
-
SHA1
f807912389ed16a9d7ac3e3e7b73282658c6ecf0
-
SHA256
46136025a4d84640710a3c3ab05588b2ff288c7294ea3d855061b67609839cf6
-
SHA512
70b79b90362b50fa52762554161f962535aff171f4cf3147afb960b5aba302cc8d969eb2168f331653b114b4199201be4ef5cd3bb97c67547708e2622e72874b
-
SSDEEP
49152:Svdt62XlaSFNWPjljiFa2RoUYIsSDsKdpvVoGdqTHHB72eh2NT:Svf62XlaSFNWPjljiFXRoUYIsCsE
Malware Config
Extracted
quasar
1.4.1
Office04
192.0.0.0.1:4782
92adbb05-a27e-42e8-b9a2-c260d01e742b
-
encryption_key
46B4B3697EBEA35C7930856CF4E60FB52D50DE37
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
executor
-
subdirectory
SubDir
Targets
-
-
Target
liberium executor.exe
-
Size
3.1MB
-
MD5
a83c74ddda692ff3e4279ef4d1e1ab6b
-
SHA1
f807912389ed16a9d7ac3e3e7b73282658c6ecf0
-
SHA256
46136025a4d84640710a3c3ab05588b2ff288c7294ea3d855061b67609839cf6
-
SHA512
70b79b90362b50fa52762554161f962535aff171f4cf3147afb960b5aba302cc8d969eb2168f331653b114b4199201be4ef5cd3bb97c67547708e2622e72874b
-
SSDEEP
49152:Svdt62XlaSFNWPjljiFa2RoUYIsSDsKdpvVoGdqTHHB72eh2NT:Svf62XlaSFNWPjljiFXRoUYIsCsE
-
Quasar family
-
Quasar payload
-
A potential corporate email address has been identified in the URL: 6633dd5dcff475e6fb744426_&@2x.png
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-