Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 06:06
Behavioral task
behavioral1
Sample
24e7acb706dffb37b3e682424719f5ab.exe
Resource
win7-20240221-en
3 signatures
150 seconds
General
-
Target
24e7acb706dffb37b3e682424719f5ab.exe
-
Size
3.1MB
-
MD5
24e7acb706dffb37b3e682424719f5ab
-
SHA1
5d4864f3acb3076ee4005990114a4a1f2520d456
-
SHA256
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d
-
SHA512
3d4b62d8a2c725f288277a0021c5dc46600e71b20fcdc660fdb00e0d37ff0a0114b7571d331fd85f989da74ef2dbf57add61b90085ff94cf53f5d07fea215c50
-
SSDEEP
49152:HvilL26AaNeWgPhlmVqvMQ7XSKE6kjn+DixoGgBoTHHB72eh2NT:HvaL26AaNeWgPhlmVqkQ7XSKExn+DS
Malware Config
Extracted
Family
quasar
Version
1.4.1
Botnet
Office04
C2
Kneegrowless-33547.portmap.host:33547
Mutex
10674f25-f575-4b14-92cf-06a7073df875
Attributes
-
encryption_key
E5427EE2BE27EB8DFAE76384CABC8A5EBB33EB00
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2712-0-0x0000000000F80000-0x00000000012A4000-memory.dmp family_quasar -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
24e7acb706dffb37b3e682424719f5ab.exedescription pid process Token: SeDebugPrivilege 2712 24e7acb706dffb37b3e682424719f5ab.exe