Analysis
-
max time kernel
1544s -
max time network
1554s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
16/08/2023, 09:32
Behavioral task
behavioral1
Sample
test.exe
Resource
win10-20230703-en
6 signatures
1800 seconds
General
-
Target
test.exe
-
Size
3.1MB
-
MD5
eecdbc78d76691a6be6cecc14a09968e
-
SHA1
01cbea73481a01dfcbf5e84abb060d2915e4684c
-
SHA256
781ecb1f7366bf4ae82fc447898d1ec82f49a48787dff6b0bfb9a0f69e85c354
-
SHA512
1460dea51eef202616ce842586e3c0e4b561cdaf8cdc974a2a5a2cb5c6a0d64e4e592f0c2803aa8dfba9392f07d41573802fad5bc8a48c6cf1b8651cc1d849c6
-
SSDEEP
49152:GHl592AYawl1WPOl6NVtRkJ0xEEmxR16cbRi+oGdhTHHB72eh2NT:GH/92AYawl1WPOl6NVLkJ0xEEgR16w
Malware Config
Extracted
Family
quasar
Version
1.0
Botnet
Office
C2
7.tcp.eu.ngrok.io:11273
Mutex
f66b5493-61eb-4d81-92bf-7cdd5011ca71
Attributes
-
encryption_key
5C8FA74B508E07066B897AA659A1D34132B54635
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
1
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/4956-122-0x0000000000A20000-0x0000000000D44000-memory.dmp family_quasar -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe 4956 test.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4956 test.exe