Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 13:05
Behavioral task
behavioral1
Sample
xmrhZ7VhlJjD.exe
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
xmrhZ7VhlJjD.exe
-
Size
348KB
-
MD5
b12dcc0b6399196333d30649f325397f
-
SHA1
6f208c9b6d3dae57e4c22d5e319db0d237feb909
-
SHA256
498844e96c76ce422fdb328f5deadd5e0785582cf291c1cf9d32ed15f45fa964
-
SHA512
f7e1cd332733a28636439775e501870b5a9d90899357ee27ed51a647c15be614bcdbcfc5acef7fc0b3085ecca2a45eb1496ec88e26cfe6e08c9b4c2bf6198146
-
SSDEEP
6144:67qQ4i1FFiEKyK5ALbddCEaBHGdNXUnO:8plipKddGIdBUnO
Malware Config
Extracted
Family
quasar
Version
1.3.0.0
Botnet
Office04
C2
companinuevoano1.con-ip.com:4782
Mutex
QSR_MUTEX_l1M93VuqIyiH8hEQ4I
Attributes
-
encryption_key
rFxyS0ilcLEI1ldtBJAu
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/760-0-0x0000000000320000-0x000000000037E000-memory.dmp family_quasar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 ip-api.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
xmrhZ7VhlJjD.exedescription pid process Token: SeDebugPrivilege 760 xmrhZ7VhlJjD.exe