General

  • Target

    RuntimeBroker.exe

  • Size

    3.1MB

  • MD5

    f4da021b8bc9d8ef1ff9ce30b0ab3b79

  • SHA1

    998a833c28617bf3e215fe7a8c3552972da36851

  • SHA256

    b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545

  • SHA512

    77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c

  • SSDEEP

    98304:ZvlL26AaNeWgPhlmVqkQ7XSKVcRJ6p3I:Nj4SN43I

Score
10/10

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Nigga

C2

yzs-42879.portmap.host:42879

Mutex

57d72303-b5e9-46aa-8cc4-9690809c1a9e

Attributes
  • encryption_key

    F1EBDB1862062F9265C0B5AC4D02C76D026534D0

  • install_name

    RuntimeBroker.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    Temp

Signatures

  • Quasar family
  • Quasar payload 1 IoCs
  • Unsigned PE 1 IoCs

    Checks for missing Authenticode signature.

Files

  • RuntimeBroker.exe
    .exe windows:4 windows x86 arch:x86

    f34d5f2d4577ed6d9ceec516c1f5a744


    Headers

    Imports

    Sections