General
-
Target
SeroXen.rar
-
Size
7.4MB
-
Sample
240701-t87g8aserl
-
MD5
3e5e034189b129f8ffd7b6ae57982740
-
SHA1
a099319659a4852ee87219d15bd04606660a9afa
-
SHA256
43b56573aa46b0a5c526e41ef58f0e902074181622a7b7508fa97c447b8afcc9
-
SHA512
578eec54ab0603ba4689590a181510e9aaf04bb3863f6283f19ff241f343ccd9cfbac8d35b7bcb65ece1d76122e0b808f90918ac468e3b4987717bd821c5b258
-
SSDEEP
196608:zSoEufZDDXsWegc13ygKrA8Uwsqew2k8ASGh/RHrw:zSoZDDXvcwrA8KkLB/hw
Static task
static1
Behavioral task
behavioral1
Sample
SeroXen.rar
Resource
win10v2004-20240508-en
Malware Config
Extracted
quasar
15.5.0
SeroXen
147.185.221.20:49485
QSR_MUTEX_rzhQPLl57DqbMvbZp9
-
encryption_key
M2nw0PLpJxuyZQLyQ14p
-
install_name
Client.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
SeroXen.rar
-
Size
7.4MB
-
MD5
3e5e034189b129f8ffd7b6ae57982740
-
SHA1
a099319659a4852ee87219d15bd04606660a9afa
-
SHA256
43b56573aa46b0a5c526e41ef58f0e902074181622a7b7508fa97c447b8afcc9
-
SHA512
578eec54ab0603ba4689590a181510e9aaf04bb3863f6283f19ff241f343ccd9cfbac8d35b7bcb65ece1d76122e0b808f90918ac468e3b4987717bd821c5b258
-
SSDEEP
196608:zSoEufZDDXsWegc13ygKrA8Uwsqew2k8ASGh/RHrw:zSoZDDXvcwrA8KkLB/hw
-
Quasar payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-