Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
05-08-2024 08:05
Behavioral task
behavioral1
Sample
skibidirat.exe
Resource
win7-20240729-en
General
-
Target
skibidirat.exe
-
Size
3.1MB
-
MD5
797c5548befc52f7b0dbedc8e6172184
-
SHA1
05e5fd623d589e9790e648348f05e317d926b8c4
-
SHA256
62e9fdaaf90da01ef28a26823e3442d73b93dc0e23d93139df631701cf6da260
-
SHA512
2ed20953b97ae2a2dfad7735dcef327f69cd08e9d2acaefd7a23dec0890463dd5a97c5cb1fb54634a052613b55752fc3ce624939dd89ef85bcdae5d46a19e0b5
-
SSDEEP
49152:xHobtR1o2PmNXo7WCr5Ft4Rw8FcXrYd+THHB72eh2NT:xHmRvmNXo7WCr5+w8A
Malware Config
Extracted
quasar
1.4.1
Office04
147.185.221.18:42996
147.185.221.18:1770
c2e1b18a-ce93-436d-ad8b-21bf89015e19
-
encryption_key
9E968F05BD874BA1BE086FD1774A027473823F49
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1664-1-0x0000000001060000-0x0000000001384000-memory.dmp family_quasar -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
skibidirat.exedescription pid process Token: SeDebugPrivilege 1664 skibidirat.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
skibidirat.exepid process 1664 skibidirat.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
skibidirat.exepid process 1664 skibidirat.exe