Analysis
-
max time kernel
1795s -
max time network
1799s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 02:12
General
-
Target
Viber.exe
-
Size
3.3MB
-
MD5
9863fe2c29f2deb8b301f8180acdedf1
-
SHA1
105a2679bdf370905368427b16cb15d79c41a4da
-
SHA256
2ab4ac728381ffef7b917c6e2f9fd45cdbb753238552484b33990d101f90105d
-
SHA512
bc4b7f07e9b5679c178287c4bee466425c039e5ef49a9fd7b1af7952f96c5445bcfe254f9c6c2d5acbe8feede1d64a4f9bad81ebcf312ab99f3aa8b32fee3f16
-
SSDEEP
49152:8vzI22SsaNYfdPBldt698dBcjHdhZe0SMfGvoGddHTHHB72eh2NT:8vM22SsaNYfdPBldt6+dBcjHd3e0GN
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.100.4:4782
ff281bf3-1641-40e1-b845-186b77f35b47
-
encryption_key
F8B799D52937CC435CCEC057E69F8914153CFD83
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1420-1-0x0000000001050000-0x00000000013AA000-memory.dmp family_quasar behavioral1/memory/2224-8-0x0000000000D20000-0x000000000107A000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 2224 Client.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Viber.exeClient.exedescription pid process Token: SeDebugPrivilege 1420 Viber.exe Token: SeDebugPrivilege 2224 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid process 2224 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 2224 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2224 Client.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Viber.exedescription pid process target process PID 1420 wrote to memory of 2224 1420 Viber.exe Client.exe PID 1420 wrote to memory of 2224 1420 Viber.exe Client.exe PID 1420 wrote to memory of 2224 1420 Viber.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Viber.exe"C:\Users\Admin\AppData\Local\Temp\Viber.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2224
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD59863fe2c29f2deb8b301f8180acdedf1
SHA1105a2679bdf370905368427b16cb15d79c41a4da
SHA2562ab4ac728381ffef7b917c6e2f9fd45cdbb753238552484b33990d101f90105d
SHA512bc4b7f07e9b5679c178287c4bee466425c039e5ef49a9fd7b1af7952f96c5445bcfe254f9c6c2d5acbe8feede1d64a4f9bad81ebcf312ab99f3aa8b32fee3f16