Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
21/09/2023, 15:05
General
-
Target
xwmy1oaJ1ZKs.exe
-
Size
288KB
-
MD5
d292defb89bac7be1d7f41a292887eeb
-
SHA1
56e094ea22fdde282949a4d987178a6f59b3b27b
-
SHA256
eb4f98a7aadc4eb5feceab64bd93b1d9c077510dd3cdb0efb6c733acd45b6e41
-
SHA512
f35d95111ad870bf0f675863ea609001d0a994b9388fc918a84952ecaf983d8d28a5073dd3e04a2595e8d8cb2379c652f6fbb0039f41cf4a76d764a7469fbc23
-
SSDEEP
6144:jRSjIXAnZQel5w7T4P5Kq+SMv0VGb7bDcllbkAq:o4AZrg7g9zVGkllbkV
Score
10/10
Malware Config
Extracted
Family
quasar
Version
1.4.0.0
Botnet
Office04
C2
microsoft-virtualpc.duckdns.org:4782
Mutex
E2YATkLA294znzRxeX
Attributes
-
encryption_key
gTJCDtT0AcfvyNJB5Vqb
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
Family
quasar
Attributes
-
reconnect_delay
3000
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\xwmy1oaJ1ZKs.exe"C:\Users\Admin\AppData\Local\Temp\xwmy1oaJ1ZKs.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB