Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-06-2024 16:33
General
-
Target
fee.exe
-
Size
3.1MB
-
MD5
c7019bdd8633d251d4cb882ad7ed660b
-
SHA1
ae597e52309ccc880c12a07ffd3198a4d5b44c94
-
SHA256
1850845c867a7b02ba9be9a2368d77d026288f74d3a4746db06e8a1e5914be0a
-
SHA512
632899d91ead3ef99efeec2fa5c8b16dcd5ae9c7db24b28132971e130438c22d85df1abb68411244aec113b34804e0535f0311e31af2b12f519b819c1297fca9
-
SSDEEP
49152:KvnI22SsaNYfdPBldt698dBcjHSLRJ6ybR3LoGdpTHHB72eh2NT:KvI22SsaNYfdPBldt6+dBcjHSLRJ6s
Malware Config
Extracted
Family
quasar
Version
1.4.1
Botnet
zzzz
C2
8.tcp.ngrok.io:14734
Mutex
116e2822-047d-4b5c-ad10-563148a1a28e
Attributes
-
encryption_key
C366BC97216329D1909524412E3ECB1EBC575D07
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4284-1-0x0000000000B70000-0x0000000000E94000-memory.dmp family_quasar -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fee.exedescription pid process Token: SeDebugPrivilege 4284 fee.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
fee.exepid process 4284 fee.exe