Analysis
-
max time kernel
126s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-11-2024 03:04
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20240903-en
General
-
Target
Client.exe
-
Size
348KB
-
MD5
4ae0072b64d5fd0d3487aa9471170c88
-
SHA1
bd0e8c22c8bc30d653552d79860948302bf6d964
-
SHA256
0e9cf144db889d734e8cd7bf4a7fe7fbfce2b0e4a1811e28529b8fef441bfef8
-
SHA512
222c28a9d4cb828b2cf72a089a75d7250aaf7d6b7bf0243e04e932855e263f0234abd27d09a75562db58bb2008bddca7055336df9ca05dc877736e18c1dab64f
-
SSDEEP
6144:mrNHXf500MvKRH2aWx3bp91O+mCWYOvNlRkiyZK:wd50gRSj1jEYOvtkiwK
Malware Config
Extracted
quasar
1.3.0.0
Office04
51.79.176.188:4782
QSR_MUTEX_VpymbOpr3PCDDO1MrF
-
encryption_key
UHc26cHDYhemjvStOeoP
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2376-1-0x00000000011C0000-0x000000000121E000-memory.dmp family_quasar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Client.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Client.exedescription pid Process Token: SeDebugPrivilege 2376 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid Process 2376 Client.exe