General
-
Target
kys.exe
-
Size
3.2MB
-
Sample
241218-ha7jsaymfr
-
MD5
0515143005b3e92fe50594bc1e30af7b
-
SHA1
1f565728bcc13bf1e49760c98bd96e15dacb42fc
-
SHA256
676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53
-
SHA512
e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c
-
SSDEEP
49152:tevXI22SsaNYfdPBldt698dBcjH3c0TbRSLoGd7/THHB72eh2NTA:UvY22SsaNYfdPBldt6+dBcjH3c0SZ
Behavioral task
behavioral1
Sample
kys.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
kys.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
quasar
1.4.1
victim-hacked
192.168.100.2:4444
16229cd1-6d24-490c-9eb9-35319229cc03
-
encryption_key
6B74F0C858B7E90573D4E97997F2A082B9781250
-
install_name
victim.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft Service
-
subdirectory
SubDir
Targets
-
-
Target
kys.exe
-
Size
3.2MB
-
MD5
0515143005b3e92fe50594bc1e30af7b
-
SHA1
1f565728bcc13bf1e49760c98bd96e15dacb42fc
-
SHA256
676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53
-
SHA512
e813c528c5f1ff3b447b3701f3eb947d6697bf2880a39256d5c0e118cdebdb653651611ae3a03586871bce8d375c6035fdca1a7c8370605d3f68313928bbae3c
-
SSDEEP
49152:tevXI22SsaNYfdPBldt698dBcjH3c0TbRSLoGd7/THHB72eh2NTA:UvY22SsaNYfdPBldt6+dBcjH3c0SZ
-
Modifies visiblity of hidden/system files in Explorer
-
Quasar family
-
Quasar payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2