General
-
Target
1ebc16b09f9f1cdf224a0b50333c95ae.exe
-
Size
863KB
-
Sample
240612-dhwd9szarn
-
MD5
1ebc16b09f9f1cdf224a0b50333c95ae
-
SHA1
33c77f6b12a89171f91a212b233a43d4dfd9be71
-
SHA256
4e5e207318513ffd66653a5106a121d2790a98dc25a103c67c3476b142612915
-
SHA512
f3dc8cec13b6eef1b2bad396fc7291fc3c026031283a5b30749f4e593fa8954981bb97e9c49f8d27aa146f5e9f55d315b774ce6ae2e2b57c5b5c2a9f4b21cebd
-
SSDEEP
12288:EgxwPTQBSqsfmrrPccQejxv6LP9V/Z+jqV1JudejYmKD4/h9lDS0SqEVVEbNoi11:VxFeqPNFycCMdeqD4ZDpSfVaCqDnh
Static task
static1
Behavioral task
behavioral1
Sample
1ebc16b09f9f1cdf224a0b50333c95ae.exe
Resource
win7-20240611-en
Malware Config
Extracted
quasar
1.4.0
Office04
38.180.9.93:4782
5a8251f0-2689-4ef1-8412-aac562e02a4d
-
encryption_key
C9BC046B617DD0F608706B9640C8D97C327969FB
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
ent Startup
-
subdirectory
SubDir
Targets
-
-
Target
1ebc16b09f9f1cdf224a0b50333c95ae.exe
-
Size
863KB
-
MD5
1ebc16b09f9f1cdf224a0b50333c95ae
-
SHA1
33c77f6b12a89171f91a212b233a43d4dfd9be71
-
SHA256
4e5e207318513ffd66653a5106a121d2790a98dc25a103c67c3476b142612915
-
SHA512
f3dc8cec13b6eef1b2bad396fc7291fc3c026031283a5b30749f4e593fa8954981bb97e9c49f8d27aa146f5e9f55d315b774ce6ae2e2b57c5b5c2a9f4b21cebd
-
SSDEEP
12288:EgxwPTQBSqsfmrrPccQejxv6LP9V/Z+jqV1JudejYmKD4/h9lDS0SqEVVEbNoi11:VxFeqPNFycCMdeqD4ZDpSfVaCqDnh
-
Quasar payload
-
Looks for VirtualBox Guest Additions in registry
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Virtualization/Sandbox Evasion
2