Analysis
-
max time kernel
700s -
max time network
707s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
15/08/2023, 08:50
Behavioral task
behavioral1
Sample
Client.exe
Resource
win10-20230703-en
4 signatures
1800 seconds
General
-
Target
Client.exe
-
Size
3.1MB
-
MD5
4b97bd8478dcce3e5e526664af9db723
-
SHA1
d0c1f556bbac9e81edecfedd7521b7cc1b1e78f6
-
SHA256
8634d9e5e69c0eb0758fd4d57ee58fc53c57afc1b61d790493e725ff8f6b79f2
-
SHA512
d7dbac6b27cde29260f5154564aa0213a2c94d6471c60e5bab4088ff027621fccd26aa5666f4b86991c84c635e2b2afd525213d2efa223d07dcbe787768458e4
-
SSDEEP
49152:5Hl592AYawl1WPOl6NVtRkJ0xExbhEoGdaTHHB72eh2NT:5H/92AYawl1WPOl6NVLkJ0xExbq
Malware Config
Extracted
Family
quasar
Version
1.0
Botnet
Office
C2
6.tcp.eu.ngrok.io:15209
Mutex
f66b5493-61eb-4d81-92bf-7cdd5011ca71
Attributes
-
encryption_key
5C8FA74B508E07066B897AA659A1D34132B54635
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
VC-RAT Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/3532-122-0x00000000006E0000-0x0000000000A04000-memory.dmp family_quasar -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3532 Client.exe