Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-06-2024 14:11
General
-
Target
test - Copie.exe
-
Size
3.1MB
-
MD5
1910d58cf65bec326f23a30563ab24c9
-
SHA1
1f97e5ddc0634a911aa95684086b000ab86727dc
-
SHA256
06cd6bdc86d2c7c4e3f4368d5f98a3f46236f19e76c0aaf9b26f8b868133a7fd
-
SHA512
c2e901122968c0b9267adb7863ab600e6837557f3132e8dab049de2d037b0246e1fd1809151338eccab4de9c7b370f3f30a7744b38ac8668c283a306638d0024
-
SSDEEP
49152:KvnI22SsaNYfdPBldt698dBcjHBCj1JDLoGdXTHHB72eh2NT:KvI22SsaNYfdPBldt6+dBcjHBCb
Malware Config
Extracted
Family
quasar
Version
1.4.1
Botnet
TESTIP
C2
0.tcp.ngrok.io:14534
Mutex
88de9d82-6909-427b-8a11-f28cf4280285
Attributes
-
encryption_key
562515CBE0241F4FD48C91375ED3063F997D8AEE
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1088-1-0x00000000008D0000-0x0000000000BF4000-memory.dmp family_quasar -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
test - Copie.exedescription pid process Token: SeDebugPrivilege 1088 test - Copie.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
test - Copie.exepid process 1088 test - Copie.exe