General
-
Target
https://github.com/Excalisz/Shadow-Grabber-
-
Sample
240630-y78q4svarb
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Excalisz/Shadow-Grabber-
Resource
win11-20240611-en
30 signatures
300 seconds
Malware Config
Extracted
Family
quasar
Version
1.0.0.0
Botnet
v2.2.6 | Tinsler
C2
throbbing-mountain-09011.pktriot.net:22112
167.71.56.116:22112
throbbing-mountain-09011.pktriot.net:5050
Mutex
cf16a257-7d89-4296-8384-8fca3dbb568f
Attributes
-
encryption_key
045F98A287DD47B8B5C074D234995A2C5A913042
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
1000
Targets
-
-
Target
https://github.com/Excalisz/Shadow-Grabber-
-
Quasar payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Executes dropped EXE
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-