General
-
Target
FNknoxV1 (1).rar
-
Size
7.1MB
-
Sample
240627-z8n9ja1gmf
-
MD5
54ee74680681d2af21e9fb0bd1cef8e3
-
SHA1
d44b497e033bb3e0b6eea587e9857d6096741a97
-
SHA256
bccfea0aa1f93962c5e794076f9a1da37fa67114cf88809a3f65f6ae8bb44655
-
SHA512
32bf6d6aed84dfb68ef6b798394cb455e13d493ca716a419cc9099601e5a374a6ddd9f7a9b7f0f66ebf4e1f5cbe4fd3b4cec4324f52f23d3a0f031fb595e1021
-
SSDEEP
196608:P0ppKTn4gYSk0FqNfrRFmgbmY7Qw93lXo/8X4M3St19:P0pwUTSk0FqNftFP97193FVXJ619
Behavioral task
behavioral1
Sample
Driver.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
FNknoxV1.exe
Resource
win7-20231129-en
Behavioral task
behavioral3
Sample
FNknoxV1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
���UV6.pyc
Resource
win7-20231129-en
Behavioral task
behavioral5
Sample
���UV6.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral6
Sample
mciavi32.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
spwizimg.dll
Resource
win10v2004-20240508-en
Malware Config
Extracted
quasar
1.3.0.0
AIMBOT
hanekez.ddns.net:1005
QSR_MUTEX_cFkbY7JfacEJJSBZBJ
-
encryption_key
Zu6989wNCzakRG4JG624
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
Driver.dll
-
Size
242KB
-
MD5
9a41f2a54a2fa0b81b2511e32e914f2c
-
SHA1
3276c4d7be73019a6a7fe8e218a98228ac930ce4
-
SHA256
3cc04edaa12d7feed849f1b88e10d49b948b1ef2a62e197ac35d41e5b35dbfcc
-
SHA512
8fd80dc238b3d8d75797720dc6117ff41b7064804ee243bc3e5d5c847c20856a22b30d9ed579aa1b565fc57c65bd138d913069a26cb71a93b0134b77df36dc27
-
SSDEEP
3072:2QaHp8CKxa1Kd0B7itS5jWqJgvFmtPb9WxBvk4rFTbRL2LP/jWoF3tK8cDL6v51y:2QFPxm5BetSEqJgtibSs4HvD4YQ
Score1/10 -
-
-
Target
FNknoxV1.exe
-
Size
7.0MB
-
MD5
127d96c8d795e8420ee8e1e178b6dfe9
-
SHA1
e8db8d8577ac74a60de1afb5350b63fa8e49d045
-
SHA256
2ecbcb10d1027d3c8b3288d6d73010163631e3f578fe0d3ab996400dd9474e06
-
SHA512
f98eb6fdb763b0ab062a4a3f1d2a17fade1fd8e937bbd34f2c3fed8bd50de1dae57f75c0c67b533b09d6e86cf35fcc0bf8a6755103f0a76dcc7ea63f315acbe1
-
SSDEEP
98304:OwzdbM+Q2y+aq0AANDhjOjFgFQlwq4Mjk+dBZtu9xTtwz/aer6/BbiEJ1nL2hBnP:OGf0AKpOjmFQR4MVGFtwLPsnL2hV/H
-
Quasar payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
���UV6.pyc
-
Size
1KB
-
MD5
2d8979c8b326bdc63867f079fc7b0f57
-
SHA1
46b8c08b633be55b42bcd91e8ae5bf898e0a8054
-
SHA256
b0941402101d5edc5da650f5706b52cb4becb5e2d942fd970041692f1eddcebe
-
SHA512
23f9f920bd10cd4981e0956d4ba3eb66842656b3437d250c96773f5a3c7ac081f2db50f0b9602b57755e80a37281243a02e7c3511418df9e64fb6e34ddeb86b5
Score1/10 -
-
-
Target
mciavi32.dll
-
Size
101KB
-
MD5
e9944f49dfaa4d580ddfbd676d61d397
-
SHA1
6f9e0bfec72657355ee400c71668779ee41b5ba6
-
SHA256
30317e32d7f5e36ad2674353a198f5b2760ff121c40cc0cf11be0cf9729fadb5
-
SHA512
fd494ad6aa5520e3e115cc5104882aa9922ecb181e61a03969aad73273ffa6cd8c0269994e0eec8676b41d2a7832db722d51b5e0bce9c7a7ed8d11b5330a289b
-
SSDEEP
1536:4bfvWWJHxioRuscmoKKHeH8vQINmgZUg4nP8lNM3t3qs7SO2xjlyGp8w:4rWmsscmoKgDQInYXt3qsHSJyS8w
Score1/10 -
-
-
Target
spwizimg.dll
-
Size
5.6MB
-
MD5
6259c2ebf8f1b15c4b075e413bf32598
-
SHA1
80ef443ed0dc3c93476b7a0edfa0fd76f2baa50a
-
SHA256
b206630e0c06b9bea1809d80b9f2601ee417857e7c8a22c1854e30c08ea744e1
-
SHA512
ecab9c71e95dcf2463490f34a2a66f5e9353b4be9af888f30b4e93520b4fa5a6a8fac5e69f84efeb88e195758d951cba8e36c9957eef261f4f9fb063bb04e395
-
SSDEEP
3072:OtsxIS9L+rz5iG7aB+H+Yge19NT6lBc/0yY+wcE9rCbpxTNX5vNRZWyXzyKblUuB:O6xISpQiG7aBMjNxTNX5vZ
Score1/10 -