General
-
Target
Update.exe
-
Size
413KB
-
Sample
240707-xctg9swgmk
-
MD5
8d4ed7f39ea9c8d397d9fe7cde96f96f
-
SHA1
1c9f7a1004a813aec578529267f13cf59c963dc6
-
SHA256
021453aad14a59162bbdcc15650f5c7595a8141864b8f41c1154b1ea7d0edad1
-
SHA512
75f580d2fbfacd287529434f9fda86a9cc237c4c8a328f93abe2e18b531bf138512e07e359f30a5e1a239f15849e560f3fd8fbcb77eb3568d3e73f4b2155a7d9
-
SSDEEP
6144:ZhmEjkzQT1TVNfUacoN2IAanViSRHxb3DFFu4zccHoY0MKfIR+wt7IWqsGa:r1TVVDfAanViSr2GccHN2I0wFfGa
Behavioral task
behavioral1
Sample
Update.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Update.exe
Resource
win10v2004-20240704-en
Malware Config
Extracted
quasar
3.1.5
Office04
ireless-boston.gl.at.ply.gg:41366
$Sxr-a4FI5KvPJWMj2Jorq9
-
encryption_key
2n7OoPxwl2unZ7DjPE2s
-
install_name
systemlogs.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
systemlogs
-
subdirectory
SubDir
Targets
-
-
Target
Update.exe
-
Size
413KB
-
MD5
8d4ed7f39ea9c8d397d9fe7cde96f96f
-
SHA1
1c9f7a1004a813aec578529267f13cf59c963dc6
-
SHA256
021453aad14a59162bbdcc15650f5c7595a8141864b8f41c1154b1ea7d0edad1
-
SHA512
75f580d2fbfacd287529434f9fda86a9cc237c4c8a328f93abe2e18b531bf138512e07e359f30a5e1a239f15849e560f3fd8fbcb77eb3568d3e73f4b2155a7d9
-
SSDEEP
6144:ZhmEjkzQT1TVNfUacoN2IAanViSRHxb3DFFu4zccHoY0MKfIR+wt7IWqsGa:r1TVVDfAanViSr2GccHN2I0wFfGa
-
Quasar payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-