Analysis
-
max time kernel
142s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-12-2023 16:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
61d8551b55b55b3d929e2281362b9513.exe
Resource
win7-20231215-en
7 signatures
150 seconds
General
-
Target
61d8551b55b55b3d929e2281362b9513.exe
-
Size
1.3MB
-
MD5
61d8551b55b55b3d929e2281362b9513
-
SHA1
3e140d3c4e8e261bd5ff3308bbf0d03cb288f278
-
SHA256
61ac9f591b1d67f0c954049d2e6d15cebf213055d6ed6ee0cada7a1f295b1b96
-
SHA512
c093444f4dcc78db595e42322e463747d980b2dbd6a51a88ac620d9728e4c457e9656777a624302a123fafd473a3b374d5d9cfe3b0f0e755695fb9ffc95e731c
-
SSDEEP
24576:q9cIUWY2lnQrwrAXnKGc0tCaZWgz9L1jFo9teFGLIEQ9YmChH5YvdVaCUmNz5:5dvAwdnKutCaZWgzVJa9t6GkEAW9KaC
Malware Config
Extracted
Family
quasar
Version
1.3.0.0
Botnet
Office04
C2
0.tcp.ngrok.io:14530
Mutex
QSR_MUTEX_w8Mfgcdxl7hldMH2pY
Attributes
-
encryption_key
zYcujUQPEU4C2FHrr1HG
-
install_name
Diciple Cheats Loader-Protected.exe
-
log_directory
Key Strokes
-
reconnect_delay
3000
-
startup_key
svhost.exe
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/2188-2-0x0000000000110000-0x0000000000510000-memory.dmp family_quasar -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2188 61d8551b55b55b3d929e2281362b9513.exe 2188 61d8551b55b55b3d929e2281362b9513.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2136 2188 WerFault.exe 27 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2188 61d8551b55b55b3d929e2281362b9513.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2188 61d8551b55b55b3d929e2281362b9513.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2136 2188 61d8551b55b55b3d929e2281362b9513.exe 29 PID 2188 wrote to memory of 2136 2188 61d8551b55b55b3d929e2281362b9513.exe 29 PID 2188 wrote to memory of 2136 2188 61d8551b55b55b3d929e2281362b9513.exe 29 PID 2188 wrote to memory of 2136 2188 61d8551b55b55b3d929e2281362b9513.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\61d8551b55b55b3d929e2281362b9513.exe"C:\Users\Admin\AppData\Local\Temp\61d8551b55b55b3d929e2281362b9513.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 10802⤵
- Program crash
PID:2136
-