Analysis
-
max time kernel
162s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
24-03-2022 08:27
Behavioral task
behavioral1
Sample
4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe
Resource
win7-20220311-en
0 signatures
0 seconds
General
-
Target
4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe
-
Size
348KB
-
MD5
4e22eda5918426ccbc58319c13978906
-
SHA1
080d364b894ee591be92afa782db2ae93192bea9
-
SHA256
4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f
-
SHA512
03cc56592add96ea7d3fc592308c4043558b17b55cbe520c5e24764fb489dabfdbe51910a59d537b795073cb1ed6b10a3b703b68bf4a24fcfa91b91c3c875901
Malware Config
Extracted
Family
quasar
Version
1.3.0.0
Botnet
Test1
C2
sharaga.ddns.net:25565
81.1.158.128:25565
Mutex
QSR_MUTEX_2Wq2bcpv2N4Sls5IAl
Attributes
-
encryption_key
3IYxH0O6qCkTu1k47KTz
-
install_name
java.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Java
-
subdirectory
.minecraft
Signatures
-
Quasar Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4776-134-0x0000000000370000-0x00000000003CE000-memory.dmp family_quasar -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exedescription pid process Token: SeDebugPrivilege 4776 4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4776-134-0x0000000000370000-0x00000000003CE000-memory.dmpFilesize
376KB
-
memory/4776-135-0x00000000052C0000-0x0000000005864000-memory.dmpFilesize
5.6MB
-
memory/4776-136-0x0000000004E20000-0x0000000004EB2000-memory.dmpFilesize
584KB
-
memory/4776-137-0x0000000005230000-0x0000000005296000-memory.dmpFilesize
408KB
-
memory/4776-138-0x0000000005A70000-0x0000000005A82000-memory.dmpFilesize
72KB