Analysis
-
max time kernel
1797s -
max time network
1810s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
27-11-2023 18:45
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
0c5f6822969f4890cf44d814332f28b9
-
SHA1
d17f440cb2ce53963555bb3c9e4953edc82039d0
-
SHA256
f50ff41e503c8b504faa61db21e97a1525c97eb97fa2e88f835ce473017b4214
-
SHA512
d355810d1eff5587606bda7081fefbaa498b7e16754eae01c1efba5ece4ded9d229b07acf437b9ddf9328d6b11c58e376afd727cc8f2cd396a6d8b39ede3a054
-
SSDEEP
49152:DvKI22SsaNYfdPBldt698dBcjH+4mCmzPLoGdUqTHHB72eh2NT:Dvn22SsaNYfdPBldt6+dBcjH+4mb
Malware Config
Extracted
Family
quasar
Version
1.4.1
Botnet
Office04
C2
vxc-63595.portmap.host:63595
Mutex
a8ba728a-8b60-42d1-998f-e0693b23224e
Attributes
-
encryption_key
416C833148C29219D245197DE247D78A39EC13E5
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/2960-0-0x0000000000580000-0x00000000008A4000-memory.dmp family_quasar -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2960 Client-built.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2960 Client-built.exe