General
-
Target
c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe
-
Size
348KB
-
Sample
240620-qgq5datcrl
-
MD5
11767ecb9deb6b80bf781e6f47b859d5
-
SHA1
7eabf94ea15bef9d48100159ff54e5117d7ead77
-
SHA256
c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797
-
SHA512
849f033d3d6a4a9969ccfee4a468a48c7c894326a8f0d6e3d64ecc00d6f92593af10da01319ef3b8ffd5fd34070735d1b8877a7b1fa9e7845c1b661edf16ddfd
-
SSDEEP
6144:PyUhIvTCqL/0+Ad3zEGMcQbzGD5VeKyvh1UGoAhQqwO:qNTCKxANEKemqsGoAqqwO
Malware Config
Extracted
quasar
1.3.0.0
Office04
127.0.0.1:4782
QSR_MUTEX_Qfx1LgLjDrqR2O9eT4
-
encryption_key
1UqQuJicXDNgw96Qw7o7
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
winlogon.exe
-
subdirectory
SubDir
Targets
-
-
Target
c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe
-
Size
348KB
-
MD5
11767ecb9deb6b80bf781e6f47b859d5
-
SHA1
7eabf94ea15bef9d48100159ff54e5117d7ead77
-
SHA256
c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797
-
SHA512
849f033d3d6a4a9969ccfee4a468a48c7c894326a8f0d6e3d64ecc00d6f92593af10da01319ef3b8ffd5fd34070735d1b8877a7b1fa9e7845c1b661edf16ddfd
-
SSDEEP
6144:PyUhIvTCqL/0+Ad3zEGMcQbzGD5VeKyvh1UGoAhQqwO:qNTCKxANEKemqsGoAqqwO
-
Quasar payload
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-