General
-
Target
457143901d9ca2f0bc836c1dd1faefe3.bin
-
Size
733KB
-
Sample
240630-cc2tesvhrr
-
MD5
840f009d320d2d16bba0c66f2d0e831a
-
SHA1
20109e16cca047d7829f21ce907979fbee6ee13a
-
SHA256
ee7d4244e534803ab573e663323b3f83dd9924955a13d7b8696692ad93d7216b
-
SHA512
7e62ed08fe4c70546fdad8239539b861b374b651083308a669ea3995fd2256266b1c3b550658acba9ce142c76cbe056dcee803947ae5cfa911b40142e7a84793
-
SSDEEP
12288:oNz3nEk+buOTeLAGj5wR6ztUSAo0GeOs/MiaQQYWtCszQz2YMrlMnMy34DrrRxYK:g3nl+6O7uBg/gQb4CCQz2/uMe4DZNcK
Static task
static1
Behavioral task
behavioral1
Sample
cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe
Resource
win7-20240508-en
Malware Config
Extracted
xworm
head-experimental.gl.at.ply.gg:46178
best-bird.gl.at.ply.gg:27196
super-nearest.gl.at.ply.gg:17835
wiz.bounceme.net:6000
-
install_file
USB.exe
Extracted
quasar
3.1.5
Slave
stop-largely.gl.at.ply.gg:27116
$Sxr-kl1r656AGsPQksTmi8
-
encryption_key
ql4fQ8TV9ZFP9vRX2myA
-
install_name
$sxr~Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77STARTUP~MSF
-
subdirectory
$sxr~SubDir
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe
-
Size
748KB
-
MD5
457143901d9ca2f0bc836c1dd1faefe3
-
SHA1
11e554dcfca0dd51c5bfe92d35b9c13b21b81691
-
SHA256
cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26
-
SHA512
0bd04e37e8f3bb869783661972b83ec8fb6b06727eff27374d2855e714b31cd51b15ada8e46d8b09eda9367dd002f65436785b7962f80f5812396aff3c03c0d0
-
SSDEEP
12288:Ykpcy+P2t8ysP8ZURBmtxjlk/u6ntgJ2E3P0DtaxoisMLHsXxteTX:Ykpcy5tVZqBmTji/PQP0Zaxd5LHxT
-
Detect Xworm Payload
-
Quasar payload
-
Async RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-