General
-
Target
fart.exe
-
Size
39.9MB
-
Sample
240628-xnmh4ascpm
-
MD5
e1a72f7e4426c8d5e849459fa7c7e476
-
SHA1
e1101a053ebe7cf5dc44f4f4ea787be113cae10f
-
SHA256
9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece
-
SHA512
0a2830e2f9e1872a98996f4221f1e81a33e8927e087397e7b3342fe79333974d030d8ff4176746c9cfd78eeb382d46a88023709c2e003b6a1ba00d883ee4426f
-
SSDEEP
786432:sxGPxJDr/A/brZCaMhEDL/BpYE0dkt3ZL3PDnsilllqs7GIKScPml8tBW:oGJJDrYPZCaEWLxVfDnplllpzMW
Static task
static1
Behavioral task
behavioral1
Sample
fart.exe
Resource
win7-20240221-en
Malware Config
Extracted
quasar
3.1.5
Slave
stop-largely.gl.at.ply.gg:27116
$Sxr-kl1r656AGsPQksTmi8
-
encryption_key
ql4fQ8TV9ZFP9vRX2myA
-
install_name
$sxr~Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77STARTUP~MSF
-
subdirectory
$sxr~SubDir
Extracted
xworm
best-bird.gl.at.ply.gg:27196
super-nearest.gl.at.ply.gg:17835
wiz.bounceme.net:6000
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
quasar
1.4.1
Office04
history-foo.gl.at.ply.gg:42349
2beddbf7-c691-4058-94c7-f54389b4a581
-
encryption_key
CBFC5D217E55BEBDCD3A6EFA924299F76BC328D9
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update
-
subdirectory
SubDir
Targets
-
-
Target
fart.exe
-
Size
39.9MB
-
MD5
e1a72f7e4426c8d5e849459fa7c7e476
-
SHA1
e1101a053ebe7cf5dc44f4f4ea787be113cae10f
-
SHA256
9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece
-
SHA512
0a2830e2f9e1872a98996f4221f1e81a33e8927e087397e7b3342fe79333974d030d8ff4176746c9cfd78eeb382d46a88023709c2e003b6a1ba00d883ee4426f
-
SSDEEP
786432:sxGPxJDr/A/brZCaMhEDL/BpYE0dkt3ZL3PDnsilllqs7GIKScPml8tBW:oGJJDrYPZCaEWLxVfDnplllpzMW
-
Detect Xworm Payload
-
Quasar payload
-
Async RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-