General
-
Target
FlashingSoftwarePRO.exe
-
Size
3.1MB
-
Sample
241221-r4k3ba1qbm
-
MD5
c76ab36150bf9a2c72e7b1c3d2440f30
-
SHA1
a3719eabbb7f6da523650a9f606fda7f34f9305c
-
SHA256
f9bf98b2e090d49b4830760b942d9208c33169ccd43814fc2a38955d74df15ab
-
SHA512
c493f8553797411eefddfc4ffb448c61e3610bea9a3e774aea0048dc46359d61092b5e71bb957cdcc4affa766cb0692bbb8126e084967f00516cf66288232114
-
SSDEEP
49152:sv5go2QSaNpzyPllgamb0CZof/JfaN9ETJDh+ueoGdoZdTHHB72eh2NT:sv6o2QSaNpzyPllgamYCZof/JfaN6T6
Malware Config
Extracted
quasar
1.4.1
svchost
7.tcp.eu.ngrok.io:10771
7.tcp.eu.ngrok.io:4782
4.tcp.eu.ngrok.io:4782
4.tcp.eu.ngrok.io:11979
4.tcp.eu.ngrok.io:12435
6bc3b1f8-4e29-4c42-b638-2062ec672f6f
-
encryption_key
BDB44181C868606DFCA1741A69056AAA62DADEFC
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
300
-
startup_key
RuntimeBroker
-
subdirectory
System32
Targets
-
-
Target
FlashingSoftwarePRO.exe
-
Size
3.1MB
-
MD5
c76ab36150bf9a2c72e7b1c3d2440f30
-
SHA1
a3719eabbb7f6da523650a9f606fda7f34f9305c
-
SHA256
f9bf98b2e090d49b4830760b942d9208c33169ccd43814fc2a38955d74df15ab
-
SHA512
c493f8553797411eefddfc4ffb448c61e3610bea9a3e774aea0048dc46359d61092b5e71bb957cdcc4affa766cb0692bbb8126e084967f00516cf66288232114
-
SSDEEP
49152:sv5go2QSaNpzyPllgamb0CZof/JfaN9ETJDh+ueoGdoZdTHHB72eh2NT:sv6o2QSaNpzyPllgamYCZof/JfaN6T6
-
Quasar family
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-