Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 23:56
Behavioral task
behavioral1
Sample
Neo.exe
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
Neo.exe
Resource
win10v2004-20240611-en
General
-
Target
Neo.exe
-
Size
348KB
-
MD5
1e7a43037ad795c85258f3543636cae6
-
SHA1
634d8def0e80e4791698d7e94b20dd8c5aba063c
-
SHA256
cdd44caceb600c73a01b95c572142a59a35a23b1fb8e8e70cf920140366d3d09
-
SHA512
443dc2ea997bc3dc51371313161ab9990ac3a1eed30cd2f414e08c9fdbc32c36a2b97813759b67394b3de8f19649256d8a1e1d87636efee065f8fc5487a71853
-
SSDEEP
6144:ILL3HRsM+OFZcAHCJbFnrMr1TuT8igmMu:OVP+Myry1TuT8igmMu
Malware Config
Extracted
quasar
1.1.0
Slave
runderscore00-42512.portmap.io:42512
QSR_MUTEX_aYgVTolyJfnSo2kPQj
-
encryption_key
PK7SpR1WESSqHBwmTfVi
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5044-1-0x0000000000120000-0x000000000017E000-memory.dmp family_quasar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Neo.exedescription pid process Token: SeDebugPrivilege 5044 Neo.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Neo.exepid process 5044 Neo.exe