Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-03-2024 15:17
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
2c452681aaf7e08b26eec0c3e5778bd2
-
SHA1
f9a3d4ad1b623f2f52ff60a51c35f5a6817c12f2
-
SHA256
acaa51b406aa9cef4c6ac4d6d57b91b0dd2d07a9f6333b69e742796a367ff010
-
SHA512
c321ff90d512b067ea2c617a07224b6756092318ef3d3175d0c1a00eaa7b9a0cc6976314e00fce4ebec9877d8c4ca8ade23d51e003d3f28317702c57b0541384
-
SSDEEP
49152:evBt62XlaSFNWPjljiFa2RoUYI31LBrTMfxdoGdalTHHB72eh2NT:evr62XlaSFNWPjljiFXRoUYI35BrCq
Malware Config
Extracted
Family
quasar
Version
1.4.1
Botnet
test
C2
192.168.1.42:4782
Mutex
95ad66d9-3637-453f-943d-33d2a2c49feb
Attributes
-
encryption_key
3A52ADE42ED9473E5578959627082144C8887BFE
-
install_name
winreset.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
Boot
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1676-0-0x00000000013A0000-0x00000000016C4000-memory.dmp family_quasar -
Drops file in System32 directory 1 IoCs
Processes:
Client-built.exedescription ioc process File created C:\Windows\system32\Boot\winreset.exe Client-built.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Client-built.exedescription pid process Token: SeDebugPrivilege 1676 Client-built.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1676-0-0x00000000013A0000-0x00000000016C4000-memory.dmpFilesize
3.1MB
-
memory/1676-1-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/1676-2-0x0000000001310000-0x0000000001390000-memory.dmpFilesize
512KB
-
memory/1676-3-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/1676-4-0x0000000001310000-0x0000000001390000-memory.dmpFilesize
512KB