Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 16:12
Behavioral task
behavioral1
Sample
app1.exe
Resource
win7-20240903-en
windows7-x64
4 signatures
150 seconds
General
-
Target
app1.exe
-
Size
2.9MB
-
MD5
e59dd92db4f4ffcebf9234b9e7f6d5ef
-
SHA1
062d9b937f1aa328d9d47b5dcd906d627c9f1ab5
-
SHA256
20718a2749f22cb1fa604c78b4efe205355717e4ba57aa00323955971da8cfae
-
SHA512
23c5cfec42854c5fc2ccc3a326be871f781e851ec46015318c87ecde308bc17f8f8648023c557a6342c2a68deb13a133dfc8a03a433830dddc815f3db98313ec
-
SSDEEP
49152:fvWI22SsaNYfdPBldt698dBcjHHWoI8THHB72eh2NT:fv722SsaNYfdPBldt6+dBcjHHW
Malware Config
Extracted
Family
quasar
Version
1.4.1
Botnet
KDOTCrypt
C2
fedx.ddns.net:7000
Mutex
05ed390b-a98b-426c-bddb-fc4eab59ee87
Attributes
-
encryption_key
92470F4731518ABFA77DC89068544FB7E7B7C459
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/2684-1-0x0000000001310000-0x00000000015FE000-memory.dmp family_quasar -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2684 app1.exe