Analysis
-
max time kernel
128s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
30-11-2023 02:43
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20231023-en
6 signatures
150 seconds
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
60e569fdc26a5ebd61c55b18db940fa9
-
SHA1
c2ad1128f8c71f9df6fb74866666bb4f8d0ff3ee
-
SHA256
2021bf97c6d6a200867c82fe27f31a4e01961e7efb8bd0fe4d857467f5ca3542
-
SHA512
d42d660c76a5e7af6070c7b0953c9a882a05ba56607a07c770427b082c2147a32a23c0125b4857dad7859f04f4aba5c1b8f86c5baf1bfaeafa1dbdd3c757dadc
-
SSDEEP
49152:mvbI22SsaNYfdPBldt698dBcjHORqwbRNLoGd9PTHHB72eh2NT:mvk22SsaNYfdPBldt6+dBcjHORqUN
Malware Config
Extracted
Family
quasar
Version
1.4.1
Botnet
Office04
C2
rattata.ddns.net:4782
Mutex
d6708ec5-ed6f-420d-af48-db9ff459fc59
Attributes
-
encryption_key
08EF2E54E0B00F8210FCC8BAF01B8C73CA04E630
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/2340-0-0x0000000000B40000-0x0000000000E64000-memory.dmp family_quasar -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2340 Client-built.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2340 Client-built.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2340 Client-built.exe