Analysis
-
max time kernel
46s -
max time network
62s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2023 18:10
Behavioral task
behavioral1
Sample
Electron.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
Electron.exe
Resource
win10-20231129-en
Behavioral task
behavioral3
Sample
Electron.exe
Resource
win10v2004-20231127-en
General
-
Target
Electron.exe
-
Size
3.2MB
-
MD5
5dd7500f21add8f9bc322529a35cb55f
-
SHA1
b12eec8fdf6224f65e27fb9d9b06dc4375e1b37b
-
SHA256
48d2d3e579bbcddda54aa5bd48197b179ca7b75018d05ce12ff3cf9e7b78e40e
-
SHA512
dfbbb5b026e46dd5569814f6e8558678808bf9d4d7c8d4949f8943bb7eb92ecea8f2abfc0f9f2becdd0d2f04b61000262f20e2af87a11e3fc8d4931879633e3b
-
SSDEEP
98304:/veL26AaNeWgPhlmVqkQ7XSKB3OzLRCL:3e4SlPgL
Malware Config
Extracted
quasar
1.4.1
Office04
limehag920-33288.portmap.host:33288
9818b060-d6e3-4e48-b21e-c9ef7bc65511
-
encryption_key
E97F64327412A3864CF0B0BE4A85415B949C39AD
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral3/memory/2328-0-0x00000000005A0000-0x00000000008D4000-memory.dmp family_quasar -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2328 Electron.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2328 Electron.exe 2328 Electron.exe 2328 Electron.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2328 Electron.exe 2328 Electron.exe 2328 Electron.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2328 Electron.exe