General
-
Target
Loader.exe
-
Size
9.8MB
-
Sample
240627-qswh8stdlh
-
MD5
bb57e95ad7ac1da6307c62d2e75a7e6d
-
SHA1
403145af8d0e5260ff0bb9eacac51e9a667214e2
-
SHA256
e2b6fb77c0c45a1ac911cfabea26c5dceb234bed0eb4b3ffa5c12af22a4cd630
-
SHA512
12517e3eeb1bef18999807d8a08ce50d743b3dd4ff45d54bd4bfc552620ac6c9ff62fa212e8b1c61d5343d8bbd2dc9da0537f554893799ae23ab3748d14c4bf8
-
SSDEEP
196608:jNZYch2QFbfeN/FJMIDJf0gsAGK5SEQRWuAKt+L:Di/Fqyf0gsfNRAK
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
1.4.1
Office04
history-foo.gl.at.ply.gg:42349
2beddbf7-c691-4058-94c7-f54389b4a581
-
encryption_key
CBFC5D217E55BEBDCD3A6EFA924299F76BC328D9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update
-
subdirectory
SubDir
Extracted
xworm
best-bird.gl.at.ply.gg:27196
super-nearest.gl.at.ply.gg:17835
wiz.bounceme.net:6000
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
quasar
3.1.5
Slave
stop-largely.gl.at.ply.gg:27116
$Sxr-kl1r656AGsPQksTmi8
-
encryption_key
ql4fQ8TV9ZFP9vRX2myA
-
install_name
$sxr~Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77STARTUP~MSF
-
subdirectory
$sxr~SubDir
Targets
-
-
Target
Loader.exe
-
Size
9.8MB
-
MD5
bb57e95ad7ac1da6307c62d2e75a7e6d
-
SHA1
403145af8d0e5260ff0bb9eacac51e9a667214e2
-
SHA256
e2b6fb77c0c45a1ac911cfabea26c5dceb234bed0eb4b3ffa5c12af22a4cd630
-
SHA512
12517e3eeb1bef18999807d8a08ce50d743b3dd4ff45d54bd4bfc552620ac6c9ff62fa212e8b1c61d5343d8bbd2dc9da0537f554893799ae23ab3748d14c4bf8
-
SSDEEP
196608:jNZYch2QFbfeN/FJMIDJf0gsAGK5SEQRWuAKt+L:Di/Fqyf0gsfNRAK
-
Detect Xworm Payload
-
Quasar payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1