Analysis
-
max time kernel
133s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
28-06-2024 22:11
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win10-20240404-en
5 signatures
150 seconds
General
-
Target
svchost.exe
-
Size
409KB
-
MD5
cf1095129f08d9ac4235e307c45992d4
-
SHA1
e452600b185b20b5aca7f277b20ee0ac283caa9a
-
SHA256
0ae8715511cac160bace9f8cc6d042de274573159d077846598c1626bd6b0d3d
-
SHA512
d55fa2399c2c566a32d7f6ae7c67db5b7be344e129f76e731298236b7d41639146b1dd120dc79b5fcd2ff261405423505c5d6604353b1736b10c82b8440d5df1
-
SSDEEP
12288:RpsD64e1MvzNU2hcPPHXN/x8N619mUBecXKe:vsG4kMThcPPHXD9NBT
Score
10/10
Malware Config
Extracted
Family
quasar
Version
3.1.5
Botnet
SeroXen | v3.1.5 |
C2
hardware-morgan.gl.at.ply.gg:49331
Mutex
$Sxr-jy6vh8CtEJL5ceZuIb
Attributes
-
encryption_key
KNgpj87CUPQcxCMhHO0S
-
install_name
$sxr-powershell.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
Powershell
-
subdirectory
$sxr-seroxen2
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2480-1-0x0000000000140000-0x00000000001AC000-memory.dmp family_quasar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2480 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 2480 svchost.exe