General
-
Target
Authenticator.exe
-
Size
375KB
-
Sample
241224-bz3tkayjhl
-
MD5
85b43fd8aa9d8b09b8613f2fa47c6bb0
-
SHA1
3729c0739c24b7ed9fda30684173a869c7398e80
-
SHA256
6eea566794504979f9fa4d75285751f49afde178ad8a0cdfb81fceec9ebb2eb9
-
SHA512
2898dc0c44a6543136281cf0bbdc03c3cc958098366773fc31ab047c2819e9df3d2b5596ded0d9a2811d915d4ced0404494dfa3381572c56dda9bf2772706ef2
-
SSDEEP
6144:YbqQ4i1FFiEKZVSQZzs5jQKbgQ203StbjjSQkzaozVVqH:CpliPScgCy73StbjjSQkVzV0H
Behavioral task
behavioral1
Sample
Authenticator.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Authenticator.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
quasar
1.3.0.0
Authenticator
iamaskibiditoilet-58299.portmap.host:58299
QSR_MUTEX_bNzknSVeSVx21JnqhQ
-
encryption_key
wAIAzlOLR0d5V3YI1aCM
-
install_name
Runtime Broker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Runtime Broker
-
subdirectory
SubDir
Targets
-
-
Target
Authenticator.exe
-
Size
375KB
-
MD5
85b43fd8aa9d8b09b8613f2fa47c6bb0
-
SHA1
3729c0739c24b7ed9fda30684173a869c7398e80
-
SHA256
6eea566794504979f9fa4d75285751f49afde178ad8a0cdfb81fceec9ebb2eb9
-
SHA512
2898dc0c44a6543136281cf0bbdc03c3cc958098366773fc31ab047c2819e9df3d2b5596ded0d9a2811d915d4ced0404494dfa3381572c56dda9bf2772706ef2
-
SSDEEP
6144:YbqQ4i1FFiEKZVSQZzs5jQKbgQ203StbjjSQkzaozVVqH:CpliPScgCy73StbjjSQkVzV0H
Score10/10-
Quasar family
-
Quasar payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-