General
-
Target
Powershell Obfuscated 2.exe
-
Size
292KB
-
Sample
250109-abzlka1rbl
-
MD5
f30af95c3a3c086eebf694c35dda04e2
-
SHA1
345ec2b55213feb12c9d28a8954f9a516002be2b
-
SHA256
7e5bff5c80bb4378e89034d0fee7b956c0b4920f15ce43dc85f103211ec24137
-
SHA512
a439f4c3ba8698399544643e842da15fd13f4e1b96efa49527d0aba5696d0f62daa0137a185f87951969f6cd6bbbafadc356aed376707fce260e2ce8cdd496a9
-
SSDEEP
1536:KIxTgCJepaWKK41pBcGMKs17xij+zdbOtEpfZ+sFIAO:KqTgae4WKK41p5s178j8dSe1Z+uI
Static task
static1
Behavioral task
behavioral1
Sample
Powershell Obfuscated 2.exe
Resource
win7-20241010-en
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.2.110:4782
1300aa31-7590-4a5d-99c0-1cf7ee258de3
-
encryption_key
0D2143EAF59053EDE8DEB526A5F17A6BCA4107D2
-
install_name
EcomMaker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
Powershell Obfuscated 2.exe
-
Size
292KB
-
MD5
f30af95c3a3c086eebf694c35dda04e2
-
SHA1
345ec2b55213feb12c9d28a8954f9a516002be2b
-
SHA256
7e5bff5c80bb4378e89034d0fee7b956c0b4920f15ce43dc85f103211ec24137
-
SHA512
a439f4c3ba8698399544643e842da15fd13f4e1b96efa49527d0aba5696d0f62daa0137a185f87951969f6cd6bbbafadc356aed376707fce260e2ce8cdd496a9
-
SSDEEP
1536:KIxTgCJepaWKK41pBcGMKs17xij+zdbOtEpfZ+sFIAO:KqTgae4WKK41p5s178j8dSe1Z+uI
-
Quasar family
-
Quasar payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-