Analysis
-
max time kernel
116s -
max time network
117s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-06-2024 11:25
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
38156fe138e7373db14d986ee33d4ea8
-
SHA1
caf166611971c6a8352b22eede79cea92aa344b8
-
SHA256
dd0613d4b34cf59b2ea9a3a0a9f4ce1c02dd0601c0240f61e2b980e16c42667a
-
SHA512
ebcca06582347877ff1b6da58400b3682d998d1b223eb49cc93d4da523c70dc26a1cc4f1ccb1081d7295a1b9906417b78b0d63c685bc93d9ac7db517ddc5d241
-
SSDEEP
49152:SvnI22SsaNYfdPBldt698dBcjH0H4oNbRvLoGddTHHB72eh2NT:SvI22SsaNYfdPBldt6+dBcjH0Yov
Malware Config
Extracted
Family
quasar
Version
1.4.1
Botnet
TESTIP
C2
8.tcp.ngrok.io:15015
Mutex
7a69ad86-36ff-45e8-ba4b-800fbf776712
Attributes
-
encryption_key
562515CBE0241F4FD48C91375ED3063F997D8AEE
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1436-1-0x0000000000010000-0x0000000000334000-memory.dmp family_quasar -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Client-built.exedescription pid process Token: SeDebugPrivilege 1436 Client-built.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client-built.exepid process 1436 Client-built.exe