Behavioral task
behavioral1
Sample
cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe
Resource
win7-20240903-en
General
-
Target
cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe
-
Size
3.1MB
-
MD5
dd7a806c734df62ecf4802977fa0b3e9
-
SHA1
42eae42e0fcfe9d9a54e493a670adde5241377da
-
SHA256
cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f
-
SHA512
0f8e2e565b40baabdde4018db57e06aee8e8dfeb4b1491e8e02e56a20e6b55bc1130ed74a702c35e043d4886af969af5d8ca26f5caeb0e96694982ecfbc80bbf
-
SSDEEP
49152:yvkt62XlaSFNWPjljiFa2RoUYIO8RJ6IbR3LoGdaTHHB72eh2NT:yv462XlaSFNWPjljiFXRoUYIO8RJ6i
Malware Config
Extracted
quasar
1.4.1
Aryszx
Apichat:4782
181f4a12-4cad-46a9-9896-1001033c5b69
-
encryption_key
F4F359BEF442D9221F73F7D64267E0E300CC68CE
-
install_name
Runtime Broker.exe
-
log_directory
Logs
-
reconnect_delay
1
-
startup_key
Runtime Broker
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule sample family_quasar -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe
Files
-
cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 3.1MB - Virtual size: 3.1MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 3KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ