General
-
Target
smss.exe
-
Size
3.1MB
-
Sample
240620-vtnbgashnp
-
MD5
cdd7d0cd4d066e6c4c150ffc74ada986
-
SHA1
30c0f4b8f36e861e894ec8e632209242dd3a200e
-
SHA256
71647321f5450a943f19817e997b58891f101d1483170254217110397aae9439
-
SHA512
331677d29db5d59fd34df24ce4b98e42f029b6d278710c62eea59138324e29943ca6920d298254fe5c0c230ffd10d04d2215254a0b3dffed8891b6b69d91cfba
-
SSDEEP
49152:rvmI22SsaNYfdPBldt698dBcjHCC11Jn6oGdDTHHB72eh2NT:rvr22SsaNYfdPBldt6+dBcjHCCE
Behavioral task
behavioral1
Sample
smss.exe
Resource
win7-20240419-en
Malware Config
Extracted
quasar
1.4.1
Office04
0.tcp.eu.ngrok.io:15861
2e0b210d-493f-47bb-9836-a3aaec70bb3b
-
encryption_key
EE767A1BA3E1F0485B5445EFDAA6890E4A9D52BC
-
install_name
dllhost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SYSWOW
Targets
-
-
Target
smss.exe
-
Size
3.1MB
-
MD5
cdd7d0cd4d066e6c4c150ffc74ada986
-
SHA1
30c0f4b8f36e861e894ec8e632209242dd3a200e
-
SHA256
71647321f5450a943f19817e997b58891f101d1483170254217110397aae9439
-
SHA512
331677d29db5d59fd34df24ce4b98e42f029b6d278710c62eea59138324e29943ca6920d298254fe5c0c230ffd10d04d2215254a0b3dffed8891b6b69d91cfba
-
SSDEEP
49152:rvmI22SsaNYfdPBldt698dBcjHCC11Jn6oGdDTHHB72eh2NT:rvr22SsaNYfdPBldt6+dBcjHCCE
-
Quasar payload
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-