General
-
Target
Compiled.rar
-
Size
5.5MB
-
Sample
241224-vh525sspdk
-
MD5
bfbd3b978243c18c8c93d50d53f8794b
-
SHA1
2830bfd88e0bed2ee2678b5399185c69226f2c2f
-
SHA256
527ac72a0ff65114e5d8cef5936eaae4764c9f01c2cf454c61dc2e1400285626
-
SHA512
61e8b62c2cecf416fa52604b9980853424353fc1f06ba2dbda724a11daca2b8f43ebb0da98664f91aee6360c8e04f6f03e8e5cb1df71ce17cc59cdb6c9d442b7
-
SSDEEP
98304:qVRAi6LwGr2fAP9X4EdLENlNysOtj8B0SZiXLsWow0G6Yq026v4QKJJQ8rY8f:gb6LT14flNysKodWw7w0GLqv6gQK/hrp
Static task
static1
Behavioral task
behavioral1
Sample
Compiled/BStub_Onimai.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
Compiled/Stager.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
Compiled/Ton618.exe
Resource
win11-20241007-en
Malware Config
Extracted
quasar
-
encryption_key
6DC75341715F183F008C5D5A26E1967745A885D9
-
reconnect_delay
3000
Targets
-
-
Target
Compiled/BStub_Onimai.exe
-
Size
114KB
-
MD5
3ec96d8142a0382bf83d0d9acca9e7b1
-
SHA1
62908a175e371d86dd5f90841811366bdb0678f1
-
SHA256
dcda999ce09d3dd5edd290280da150dd07720ba1e4d8cc0d62a6587a401b83fc
-
SHA512
173e63526d03fb5efd1f552c9bb65c16b580592746514c6fa83b1b2bd903a6c9d91dfe5e79dff79de70ec30143ebbf03429c05b36f3aef35605a0e28bb7413ba
-
SSDEEP
1536:jVrG0HWEOfQAgF0Sgb8WcP6OIUy92ShVA7gzzCAzCh3wvRnbAOsdlixs+wdQWu:jVy+W2gb5U2CAzCh3wvRnbl0Z+wqZ
Score1/10 -
-
-
Target
Compiled/Stager.exe
-
Size
149KB
-
MD5
98e08c9ddc69ca2b86028cc3cb1efa64
-
SHA1
56ebf01da2329100e808bc5460e1ff597f512a82
-
SHA256
8c1628ad812210a834d9a0d0dffae32d4057756de72ef4f80b72622786dc4038
-
SHA512
3b97695816cc1b1199284698fef1cb572449b903c28f468740f14296307f2a5d718df0e542fb1eb5f2ec73dbfde737d8cb77bf8f08319c5fef987216c8a14f13
-
SSDEEP
3072:PixjfPZwt68v4VjnYRawLr1SWRtLJbnOgZQBegbsu5q8fu3SsL72jV:PixjfW6WeS3NZxqlbzWSYy
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Suspicious use of SetThreadContext
-
-
-
Target
Compiled/Ton618.exe
-
Size
6.3MB
-
MD5
f2767c94dc8fbd1a4f0140e8b2bfdf0b
-
SHA1
3a5509b3df31289dd12b98fadc8427ccb7dc4729
-
SHA256
e137c5e7e7fd10ae048b0a154a14ac47d1fd77b29e61863154b363ed5d0bdb3e
-
SHA512
637f6205805d09a25c05524d7390a02cf9bfc0d5cd9ae8c90f19dc1094f24fc5fba5784b069c9c78084932768951e125448092a0151d4230cf0062d9e6b1420e
-
SSDEEP
98304:8F8YDfU4syqa1FbbF1Z080G4/7+VyyaYBcF8YDfU4e:SSczi1/74yyaYBye
Score1/10 -
-
-
Target
Compiled/zovoX.exe
-
Size
2.9MB
-
MD5
1976cb5215470bbbfe6ea766aa2b9253
-
SHA1
a9c899dbc512a5e8356731d4b1804fcbe4f6101b
-
SHA256
dbcc095aa748c9400b3a81781f44dab6cdead04f9abbc5612a49f156c2df3aff
-
SHA512
d6a904f2b0526435179d6d21b2d4021023451dbce44be4308cc83a6fd9d416be74fac0e4f1734005dc53d466b4dc734086ef97d59a2b6783a6d1f66f646be4b3
-
SSDEEP
49152:XrCFFGZ0Ta3c4cF5v+kvvlEY4GO5me+90HPjxVBTvI5C8yXHxoAubGS:bC/la3cZ5v+st3OnxHPjRJ1ObT
-
Quasar family
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Executes dropped EXE
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-