General
-
Target
Unborn Loader.rar
-
Size
2.4MB
-
Sample
241214-v22h3a1laj
-
MD5
30e58249ce4ad8eedab5ba96cc249bde
-
SHA1
51b082f305f74b1ff70c7a19312cccd1fbe34859
-
SHA256
6f0508001795fa33102003e9fba80a30b91a68a2f2cc93897bf8810b3952cbf1
-
SHA512
ce3e87d1cf44a657e6e11212dfe0bc8597e23117ac4ef7dcdd782464fbcfd6464e9892fecbbb4715c4c2f945f30ca92212faf27ed7abee783829bf9138189216
-
SSDEEP
49152:V4SvGjF/Ma6VaXHjKf/rd3mterJl997XilaZLEmkwXCYJTU2pXsSWGl31iaV:VOF/MijWoI9ljzSlV+TUcnl
Static task
static1
Behavioral task
behavioral1
Sample
Unborn Loader.rar
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Unborn Loader.rar
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Unborn Loader.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Unborn Loader.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
d3dx9_39.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
d3dx9_39.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
msvcp140.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
msvcp140.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
quasar
1.4.1
fontdrvhost
vaxlet.duckdns.org:1852
afa818a3-1965-4b44-bd1c-c136b77dd6c2
-
encryption_key
72F1D1477892633326199B903D992BF6D42C80FC
-
install_name
fontdrvhost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
fontdrvhost
-
subdirectory
Driver
Targets
-
-
Target
Unborn Loader.rar
-
Size
2.4MB
-
MD5
30e58249ce4ad8eedab5ba96cc249bde
-
SHA1
51b082f305f74b1ff70c7a19312cccd1fbe34859
-
SHA256
6f0508001795fa33102003e9fba80a30b91a68a2f2cc93897bf8810b3952cbf1
-
SHA512
ce3e87d1cf44a657e6e11212dfe0bc8597e23117ac4ef7dcdd782464fbcfd6464e9892fecbbb4715c4c2f945f30ca92212faf27ed7abee783829bf9138189216
-
SSDEEP
49152:V4SvGjF/Ma6VaXHjKf/rd3mterJl997XilaZLEmkwXCYJTU2pXsSWGl31iaV:VOF/MijWoI9ljzSlV+TUcnl
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
Unborn Loader.exe
-
Size
932KB
-
MD5
b09fc8269f897d7f94bd58ef20f42545
-
SHA1
b10fb06fb53767676a83ea0f65678b4fbd90cd1b
-
SHA256
6ad82006952f9fc912bdd3a767492098cc2ab7ffa7f2cdbc7114bd77a50f4c4c
-
SHA512
c88db52dfbe8afcc0d79a77cb1cf71e03f4b1a432782c93ea21259bc62bea2018c5372da110eb9c1eae853fafcb714911b6d90b634565012236ce810c1cb308a
-
SSDEEP
24576:zI9Y4Mb7AL/JCd1Cnw7u36GMiyr745v/gY:zI9RMgL/senNJWr745vP
-
Quasar family
-
Quasar payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory
-
-
-
Target
d3dx9_39.dll
-
Size
4.8MB
-
MD5
7505c133fc704b40cfddfd38777baac3
-
SHA1
34fcfe7be4a9ea08c63b6f5392ac8cd10a05827a
-
SHA256
aecbe2965f7c9aa60257670114c06b21a3de914b03e20ff569c5cb44ec4807fd
-
SHA512
8ca2d8be9dd148587906b154ec9d3ca0d1d7cd781c2bf307011407303fce981acce63d28329083a6a731442743732789aaea0a7bbd4e2d2a57d4f3e284f7b471
-
SSDEEP
49152:RPCvau58R2Rr3DnyPD81PDWdlFiyPbznxZRjhLcvRVFQHgIkNn0QwdyQKZwGUfcA:RapzyPFdBv6XFQH4Nn0FdMq0nA
Score1/10 -
-
-
Target
msvcp140.dll
-
Size
576KB
-
MD5
7b92a6cb5d2cad407c457ab12d2b211d
-
SHA1
e04020b3448fc6084fa31b7f791f22ff15e31328
-
SHA256
3c6a772319fff3ee56d4cedbe332bb5c0c2f394714cf473c6cdf933754114784
-
SHA512
b28740c1aca4f0f60a9e4a9ab5a0561af774d977ab6d42a7eea70c9e560c77c50be5d9d869f05d0435e2923f4f600219335d22425807ab23cbbcda75442c4b42
-
SSDEEP
12288:RI88L4Wu4+oJ+xc39ax5Ms4ETs3rxSvYcRvbQEKZm+jWodEEVhQ:RD89rxZCQEKZm+jWodEEPQ
Score1/10 -