General
-
Target
FlashingSoftwarePRO.exe
-
Size
3.1MB
-
Sample
241220-w7ef6asjgr
-
MD5
b2f5d1078f1ed4eb8547f19b48dc5126
-
SHA1
657254864bfab24f564888e230da7f46266ecb4c
-
SHA256
4f872140210a9253c0deb66a65f0c265a194e85d99a639f406d927a1ac760903
-
SHA512
9f850a289fd4ac3b7f1e94e8ec179b99e6ae9c78cd7ef164aefd87c4d14d9f7995c60596cc1720a17afe0fc40d32715886a9fd8695c11ac6941077e45528c882
-
SSDEEP
49152:vvxI22SsaNYfdPBldt698dBcjH1uRJ6ebR3LoGduTHHB72eh2NT:vvi22SsaNYfdPBldt6+dBcjH1uRJ6Y
Malware Config
Extracted
quasar
1.4.1
svchost
7.tcp.eu.ngrok.io:10771
7.tcp.eu.ngrok.io:4782
75e27cf2-023d-4d6d-9a0d-265f3da40a2e
-
encryption_key
BDB44181C868606DFCA1741A69056AAA62DADEFC
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
300
-
startup_key
RuntimeBroker
-
subdirectory
System32
Targets
-
-
Target
FlashingSoftwarePRO.exe
-
Size
3.1MB
-
MD5
b2f5d1078f1ed4eb8547f19b48dc5126
-
SHA1
657254864bfab24f564888e230da7f46266ecb4c
-
SHA256
4f872140210a9253c0deb66a65f0c265a194e85d99a639f406d927a1ac760903
-
SHA512
9f850a289fd4ac3b7f1e94e8ec179b99e6ae9c78cd7ef164aefd87c4d14d9f7995c60596cc1720a17afe0fc40d32715886a9fd8695c11ac6941077e45528c882
-
SSDEEP
49152:vvxI22SsaNYfdPBldt698dBcjH1uRJ6ebR3LoGduTHHB72eh2NT:vvi22SsaNYfdPBldt6+dBcjH1uRJ6Y
-
Quasar family
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-