General
-
Target
7e3c88b63ad3aa607cc07c79c05075eec2832c9a4ccb03e0005620759081f31f
-
Size
288KB
-
Sample
241221-ce42kaznfp
-
MD5
80738ce6e30247c37ee36568c43c8a5f
-
SHA1
23e857927a17559cff000d3cde52d2fdf4b99cc9
-
SHA256
7e3c88b63ad3aa607cc07c79c05075eec2832c9a4ccb03e0005620759081f31f
-
SHA512
ea2a6a84ac11eb7631fb04c8fb6c30aa3aa3238dae674bfee5e859296a0f3f25e0ef9d44ee7b3550c9cae44323363e16d882d5be1b305e19408e0a2d05b24c48
-
SSDEEP
6144:k7zO0LSclT6FOwEP5Kq+SMv0VGb7bDcllbkvn:alJtTF9zVGkllbk/
Behavioral task
behavioral1
Sample
7e3c88b63ad3aa607cc07c79c05075eec2832c9a4ccb03e0005620759081f31f.exe
Resource
win7-20240903-en
Malware Config
Extracted
quasar
1.4.0.0
Office04
hiyashi-64129.portmap.io:64129
PjIwWrgtTiUxldOLKM
-
encryption_key
NN6uwWE7m1kB5ep5QSu8
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
SubDir
Targets
-
-
Target
7e3c88b63ad3aa607cc07c79c05075eec2832c9a4ccb03e0005620759081f31f
-
Size
288KB
-
MD5
80738ce6e30247c37ee36568c43c8a5f
-
SHA1
23e857927a17559cff000d3cde52d2fdf4b99cc9
-
SHA256
7e3c88b63ad3aa607cc07c79c05075eec2832c9a4ccb03e0005620759081f31f
-
SHA512
ea2a6a84ac11eb7631fb04c8fb6c30aa3aa3238dae674bfee5e859296a0f3f25e0ef9d44ee7b3550c9cae44323363e16d882d5be1b305e19408e0a2d05b24c48
-
SSDEEP
6144:k7zO0LSclT6FOwEP5Kq+SMv0VGb7bDcllbkvn:alJtTF9zVGkllbk/
-
Quasar family
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1