Analysis
-
max time kernel
126s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 06:27
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240903-en
General
-
Target
Client-built.exe
-
Size
348KB
-
MD5
beb1de229b374cd778107c8268e191ac
-
SHA1
fb5dcf278195472e206fa484f7005aa485c308ae
-
SHA256
604b99f997d7de70804667e6e985627485d1a4d1eb694f3c36a34f0a01aef7bd
-
SHA512
62bbd4c5688438fb5b9d3610cc2fe2be654f4373a28fc116d6118d20b00c82060ac77d33c11758ef20b84a06a3eaced8a6eb9fe792a3a21207f1b37bb18caff0
-
SSDEEP
6144:IzNHXf500MoXP4PcNINSzpbDGrnxD6JAwV5IO:6d50OCcxzAjR6qwV5IO
Malware Config
Extracted
quasar
1.3.0.0
Office04
20.107.53.25:25535
QSR_MUTEX_zQ0poF2lHhCSZKSUZ3
-
encryption_key
E2xbpJ93MnABcIqioTDL
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/4960-1-0x0000000000C30000-0x0000000000C8E000-memory.dmp family_quasar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client-built.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4960 Client-built.exe