General
-
Target
FlashingSoftwarePRO.exe
-
Size
3.1MB
-
Sample
241221-r2vtqs1phj
-
MD5
3608197a5b870e97c7917a655f8c9240
-
SHA1
41e8d3be8c0a44c99bd026d6169b5b001a052b8e
-
SHA256
e2e1bf7f08cd2cfcdd1ab74b90b9c4120422afc319d76c32fe3f3d5f9f4a3b82
-
SHA512
ece2a0e33402644d693e66924d7d0cb25f73f3d4bddb78d724c846ebb423af79ec60f2d12c85643e6b6e174f02fce68419b8721341b4cff4c81a4dacac36aee9
-
SSDEEP
49152:vv4e821/aQWl8P0lSk3aKA3Z+n0eRJ6mbR3LoGd3THHB72eh2NT:vvj821/aQWl8P0lSk3DA3Z+n0eRJ6g
Malware Config
Extracted
quasar
1.4.1
svchost
7.tcp.eu.ngrok.io:10771
7.tcp.eu.ngrok.io:4782
4.tcp.eu.ngrok.io:4782
4.tcp.eu.ngrok.io:11979
43540180-8ea4-4fe9-9ada-4b4c6886888b
-
encryption_key
BDB44181C868606DFCA1741A69056AAA62DADEFC
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
300
-
startup_key
RuntimeBroker
-
subdirectory
System32
Targets
-
-
Target
FlashingSoftwarePRO.exe
-
Size
3.1MB
-
MD5
3608197a5b870e97c7917a655f8c9240
-
SHA1
41e8d3be8c0a44c99bd026d6169b5b001a052b8e
-
SHA256
e2e1bf7f08cd2cfcdd1ab74b90b9c4120422afc319d76c32fe3f3d5f9f4a3b82
-
SHA512
ece2a0e33402644d693e66924d7d0cb25f73f3d4bddb78d724c846ebb423af79ec60f2d12c85643e6b6e174f02fce68419b8721341b4cff4c81a4dacac36aee9
-
SSDEEP
49152:vv4e821/aQWl8P0lSk3aKA3Z+n0eRJ6mbR3LoGd3THHB72eh2NT:vvj821/aQWl8P0lSk3DA3Z+n0eRJ6g
-
Quasar family
-
Quasar payload
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-