Overview

overview

10

Static

static

8

Heart-Send...ig.bat

windows7_x64

10

Heart-Send...ig.bat

windows10_x64

10

Heart-Send...ck.dll

windows7_x64

1

Heart-Send...ck.dll

windows10_x64

1

Heart-Send...ad.exe

windows7_x64

3

Heart-Send...ad.exe

windows10_x64

1

Heart-Send...er.exe

windows7_x64

9

Heart-Send...er.exe

windows10_x64

9

Heart-Send...r1.exe

windows7_x64

9

Heart-Send...r1.exe

windows10_x64

9

Heart-Send...ye.exe

windows7_x64

10

Heart-Send...ye.exe

windows10_x64

10

Heart-Send...ck.dll

windows7_x64

1

Heart-Send...ck.dll

windows10_x64

1

Heart-Send...ad.exe

windows7_x64

1

Heart-Send...ad.exe

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Heart-Sender-V1.2_Cracked_by_JC0der-FireEye.zip.zip

  • Size

    1.4MB

  • Sample

    210309-1dzkf8pmcx

  • MD5

    d969c15fe9871ad9e6398e5718512a04

  • SHA1

    1026dbc685f152d4e5a2307d88fc13a3a8750aae

  • SHA256

    d89a2246c6db2ec558bce3f1b3ca0cf32eb7dd9905b1ff30f802732434254c93

  • SHA512

    436dc836d3806061dedd989ada2e0c4458404a5c1a7221c7cd56051c06ac66aa0ba20ef3bace452ef480aa37eedaad42ae1d7ba31d16ba4dc075902e5b5f456e

Score
10/10
njratquasarredlinehackedtestheartevasioninfostealerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Heart

C2

185.163.127.20:61110

Mutex

HRT_MUTEX_kecTsVDPnERdvianlr

Attributes
  • encryption_key

    3vnM9JqtaSdxUVqeTXSi

  • install_name

    Subfile.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDirr

Extracted

Family

njrat

Version

0.7d

Botnet

HacKedTEST

C2

chipo.publicvm.com:1177

Mutex

4c71585ab01a8f1344352fb1f26b00fd

Attributes
  • reg_key

    4c71585ab01a8f1344352fb1f26b00fd

  • splitter

    |'|'|

Targets

    • Target

      Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Config.bat

    • Size

      580B

    • MD5

      028f22a9de1e96042ba3c22231565d7f

    • SHA1

      644f9c79a0338fd1073b66fcf5a96851c0c06ad6

    • SHA256

      cae2e9ddb120b89bb863815fbee0eeb597f576ec442242a87795244d2c2c8042

    • SHA512

      711a649a2e906c31997fe3d1f9f6fffa3bdd36118c9e11a0fd8acc7b662656d9c63db7f7e8a6c64240b78cbdc22594d1863042911057f539dadebb05c03c9d8b

    Score
    10/10
    quasarheartspywaretrojanupxredlineinfostealerpersistencestealer

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • rl_trojan

      redline stealer.

      stealer

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Modifies AppInit DLL entries

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Heart/HtmlAgilityPack.dll

    • Size

      123KB

    • MD5

      97458fb37fcbea19b16704474e0bb747

    • SHA1

      d846a58c2dfa287dc070a3b3eaa12de54aefc5f4

    • SHA256

      eb6841497cafab1aac432b09f4979997fa3314d4828be15cdbd37f621ba38eac

    • SHA512

      7edeaadae25c60acf5fa969655ad667826dbec8025a09bd14933d81c3fddf2e6409c2f60345da2420d63c70b3b4985f8e33913fe09af5cb4695b28b2ba561f3d

    Score
    1/10
    behavioral3behavioral4

    • Target

      Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Heart/Load.exe

    • Size

      226KB

    • MD5

      9c7691ff597e9efd7f796b31accb78e8

    • SHA1

      81bb289aa37d182b60e86990376a375de7a8decc

    • SHA256

      1624af752c9f85fd117fafb28feb42a079f283dc133cdcc5799810072a95a6cb

    • SHA512

      739f187aaeda13b7ebef3918a965b8da4ee939cd3e60d36802768f52be7b08f5964b121d1e977f4c408ff8ae6aba02df4a4d37785735c2f70d8610551cbab135

    Score
    3/10
    behavioral5behavioral6

    • Target

      Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Loader.exe

    • Size

      292KB

    • MD5

      f0aa6235c34fb2c5af7bfa214ddfea07

    • SHA1

      83265dfd7fc52cfe57d6ba12774aed62af731746

    • SHA256

      e9780f257098c6503bf1c5a3715f27409c5015efe67060edb858c8bb54f876b3

    • SHA512

      32af8d069f9d3cac141f8cdc5ad21eb29cddaf7c498eda4e68790c9bbaefb3d517eee6025824b758a4967f2d07ab4195da5ff9cf74145b72b163b0c3cc8e93c3

    Score
    9/10
    persistenceupx

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Modifies AppInit DLL entries

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral7behavioral8

    • Target

      Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Loader1.exe

    • Size

      147KB

    • MD5

      0a020a0a5f365ca997abb2c1c7ceb6d6

    • SHA1

      c3d7efdd2c2156729bf4ac905edb95f7b2ac8ae8

    • SHA256

      e0ec77a3548c4e55bc655b6754e8205bc09dd444e94886d3906e45fdff59ac02

    • SHA512

      98c85a19bc692603264bd2b408f40b92a0942ba5850f790a83a7a3c1467b1ea6a0922db6c7613cc14e248c43cbdb3dd098e6bef9f86a0eeca9ecccafb1667943

    Score
    9/10
    upx

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral9behavioral10

    • Target

      Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe

    • Size

      1.1MB

    • MD5

      3ab47d7d723c1661807084d39d4b7744

    • SHA1

      a8790ce365a8e62d3f38fe2b6fae36b34f7a5a18

    • SHA256

      05ecfbb70aa1785e6c8aad3c7da653a797aba2193b7ef136d68e50e23315fbe2

    • SHA512

      667c794cbd3bec294a5b6321ec25624a2dc4c44da240ddba7759dceeaca303a34891be85a09bece13bfb8763bfcd6041d08d55e723c2f846a0938bf196cb7d84

    Score
    10/10
    njratquasarhackedtestheartevasionpersistencespywaretrojanupx

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Modifies AppInit DLL entries

      persistence

    • Modifies Windows Firewall

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    behavioral11behavioral12

    • Target

      Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/HtmlAgilityPack.dll

    • Size

      123KB

    • MD5

      97458fb37fcbea19b16704474e0bb747

    • SHA1

      d846a58c2dfa287dc070a3b3eaa12de54aefc5f4

    • SHA256

      eb6841497cafab1aac432b09f4979997fa3314d4828be15cdbd37f621ba38eac

    • SHA512

      7edeaadae25c60acf5fa969655ad667826dbec8025a09bd14933d81c3fddf2e6409c2f60345da2420d63c70b3b4985f8e33913fe09af5cb4695b28b2ba561f3d

    Score
    1/10
    behavioral13behavioral14

    • Target

      Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Load.exe

    • Size

      226KB

    • MD5

      9c7691ff597e9efd7f796b31accb78e8

    • SHA1

      81bb289aa37d182b60e86990376a375de7a8decc

    • SHA256

      1624af752c9f85fd117fafb28feb42a079f283dc133cdcc5799810072a95a6cb

    • SHA512

      739f187aaeda13b7ebef3918a965b8da4ee939cd3e60d36802768f52be7b08f5964b121d1e977f4c408ff8ae6aba02df4a4d37785735c2f70d8610551cbab135

    Score
    1/10
    behavioral15behavioral16

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

2
T1053

Persistence

Registry Run Keys / Startup Folder

4
T1060

Scheduled Task

2
T1053

Hidden Files and Directories

2
T1158

Modify Existing Service

1
T1031

Privilege Escalation

Scheduled Task

2
T1053

Defense Evasion

Modify Registry

4
T1112

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

4
T1012

Peripheral Device Discovery

4
T1120

System Information Discovery

8
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks