General
-
Target
1.exe
-
Size
9.9MB
-
Sample
240627-xjjlmsxdnm
-
MD5
96d23c2d4dcee40729b28f949ca2d003
-
SHA1
8ab47f812f842cf093c0289daab045fb534ea7a1
-
SHA256
13d446a0227f75aa7cf81637029ecc0dd2238639a4c1cdef89748b360be7c626
-
SHA512
0b3b780f7ec58137bad0c97d8974ed6c4e8ecb5d1e2dab2e2c424cf172f24bb87dbd7f1d36249fae346bcb3e98d2877863b66ac41b0b09afe1d2e97907d6d34d
-
SSDEEP
196608:3iHTKMoeQFbfeN/FJMIDJf0gsAGK5SEQRWuAKt+L:M//Fqyf0gsfNRAK
Behavioral task
behavioral1
Sample
1.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
1.4.1
Office04
history-foo.gl.at.ply.gg:42349
51fe5088-4e6f-43ea-a53f-ed49150587aa324254r4r3weff4f45r3ewwtrfrt
-
encryption_key
CBFC5D217E55BEBDCD3A6EFA924299F76BC328D9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update
-
subdirectory
SubDir
Targets
-
-
Target
1.exe
-
Size
9.9MB
-
MD5
96d23c2d4dcee40729b28f949ca2d003
-
SHA1
8ab47f812f842cf093c0289daab045fb534ea7a1
-
SHA256
13d446a0227f75aa7cf81637029ecc0dd2238639a4c1cdef89748b360be7c626
-
SHA512
0b3b780f7ec58137bad0c97d8974ed6c4e8ecb5d1e2dab2e2c424cf172f24bb87dbd7f1d36249fae346bcb3e98d2877863b66ac41b0b09afe1d2e97907d6d34d
-
SSDEEP
196608:3iHTKMoeQFbfeN/FJMIDJf0gsAGK5SEQRWuAKt+L:M//Fqyf0gsfNRAK
-
Quasar payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1