Overview
overview
10Static
static
8Heart-Send...ig.bat
windows7_x64
10Heart-Send...ig.bat
windows10_x64
10Heart-Send...ck.dll
windows7_x64
1Heart-Send...ck.dll
windows10_x64
1Heart-Send...ad.exe
windows7_x64
3Heart-Send...ad.exe
windows10_x64
1Heart-Send...er.exe
windows7_x64
9Heart-Send...er.exe
windows10_x64
9Heart-Send...r1.exe
windows7_x64
9Heart-Send...r1.exe
windows10_x64
9Heart-Send...ye.exe
windows7_x64
10Heart-Send...ye.exe
windows10_x64
10Heart-Send...ck.dll
windows7_x64
1Heart-Send...ck.dll
windows10_x64
1Heart-Send...ad.exe
windows7_x64
1Heart-Send...ad.exe
windows10_x64
1Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-03-2021 13:55
Static task
static1
Behavioral task
behavioral1
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Config.bat
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Config.bat
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Heart/HtmlAgilityPack.dll
Resource
win7v20201028
Behavioral task
behavioral4
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Heart/HtmlAgilityPack.dll
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Heart/Load.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Heart/Load.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Loader.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Loader.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Loader1.exe
Resource
win7v20201028
Behavioral task
behavioral10
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Loader1.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
Resource
win7v20201028
Behavioral task
behavioral12
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/HtmlAgilityPack.dll
Resource
win7v20201028
Behavioral task
behavioral14
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/HtmlAgilityPack.dll
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Load.exe
Resource
win7v20201028
Behavioral task
behavioral16
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Load.exe
Resource
win10v20201028
General
-
Target
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Config.bat
Malware Config
Extracted
quasar
1.3.0.0
Heart
185.163.127.20:61110
HRT_MUTEX_kecTsVDPnERdvianlr
-
encryption_key
3vnM9JqtaSdxUVqeTXSi
-
install_name
Subfile.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDirr
Signatures
-
Quasar Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe family_quasar -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Processes:
resource yara_rule behavioral2/memory/4496-38-0x00000000054F0000-0x00000000054F1000-memory.dmp redline -
ACProtect 1.3x - 1.4x DLL software 4 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Program Files\Common Files\System\symsrv.dll acprotect C:\Program Files\Common Files\System\symsrv.dll acprotect \Program Files\Common Files\System\symsrv.dll acprotect \Program Files\Common Files\System\symsrv.dll acprotect -
Executes dropped EXE 2 IoCs
Processes:
Subfile.exeSys32.exepid process 4496 Subfile.exe 4500 Sys32.exe -
Modifies AppInit DLL entries 2 TTPs
-
Processes:
resource yara_rule \Program Files\Common Files\System\symsrv.dll upx C:\Program Files\Common Files\System\symsrv.dll upx \Program Files\Common Files\System\symsrv.dll upx C:\Users\Admin\AppData\Local\Temp\A1D26E2\81A97546CC.tmp upx \Program Files\Common Files\System\symsrv.dll upx C:\Users\Admin\AppData\Local\Temp\A1D26E2\835EB0C900.tmp upx -
Loads dropped DLL 3 IoCs
Processes:
Loader.exeLoader1.exeSubfile.exepid process 1740 Loader.exe 2304 Loader1.exe 4496 Subfile.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Subfile.exedescription ioc process File opened (read-only) \??\e: Subfile.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
Drops file in Program Files directory 2 IoCs
Processes:
Loader.exeSubfile.exedescription ioc process File created C:\Program Files\Common Files\System\symsrv.dll Loader.exe File created \??\c:\progra~1\common~1\system\symsrv.dll.000 Subfile.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1288 schtasks.exe 1432 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Sys32.exepid process 4500 Sys32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exeSubfile.exepid process 5080 powershell.exe 5080 powershell.exe 5080 powershell.exe 1016 powershell.exe 1016 powershell.exe 1016 powershell.exe 4496 Subfile.exe 4496 Subfile.exe 4496 Subfile.exe 4496 Subfile.exe 4496 Subfile.exe 4496 Subfile.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
powershell.exepowershell.exeLoader.exeLoader1.exeSubfile.exedescription pid process Token: SeDebugPrivilege 5080 powershell.exe Token: SeIncreaseQuotaPrivilege 5080 powershell.exe Token: SeSecurityPrivilege 5080 powershell.exe Token: SeTakeOwnershipPrivilege 5080 powershell.exe Token: SeLoadDriverPrivilege 5080 powershell.exe Token: SeSystemProfilePrivilege 5080 powershell.exe Token: SeSystemtimePrivilege 5080 powershell.exe Token: SeProfSingleProcessPrivilege 5080 powershell.exe Token: SeIncBasePriorityPrivilege 5080 powershell.exe Token: SeCreatePagefilePrivilege 5080 powershell.exe Token: SeBackupPrivilege 5080 powershell.exe Token: SeRestorePrivilege 5080 powershell.exe Token: SeShutdownPrivilege 5080 powershell.exe Token: SeDebugPrivilege 5080 powershell.exe Token: SeSystemEnvironmentPrivilege 5080 powershell.exe Token: SeRemoteShutdownPrivilege 5080 powershell.exe Token: SeUndockPrivilege 5080 powershell.exe Token: SeManageVolumePrivilege 5080 powershell.exe Token: 33 5080 powershell.exe Token: 34 5080 powershell.exe Token: 35 5080 powershell.exe Token: 36 5080 powershell.exe Token: SeDebugPrivilege 1016 powershell.exe Token: SeIncreaseQuotaPrivilege 1016 powershell.exe Token: SeSecurityPrivilege 1016 powershell.exe Token: SeTakeOwnershipPrivilege 1016 powershell.exe Token: SeLoadDriverPrivilege 1016 powershell.exe Token: SeSystemProfilePrivilege 1016 powershell.exe Token: SeSystemtimePrivilege 1016 powershell.exe Token: SeProfSingleProcessPrivilege 1016 powershell.exe Token: SeIncBasePriorityPrivilege 1016 powershell.exe Token: SeCreatePagefilePrivilege 1016 powershell.exe Token: SeBackupPrivilege 1016 powershell.exe Token: SeRestorePrivilege 1016 powershell.exe Token: SeShutdownPrivilege 1016 powershell.exe Token: SeDebugPrivilege 1016 powershell.exe Token: SeSystemEnvironmentPrivilege 1016 powershell.exe Token: SeRemoteShutdownPrivilege 1016 powershell.exe Token: SeUndockPrivilege 1016 powershell.exe Token: SeManageVolumePrivilege 1016 powershell.exe Token: 33 1016 powershell.exe Token: 34 1016 powershell.exe Token: 35 1016 powershell.exe Token: 36 1016 powershell.exe Token: SeDebugPrivilege 1740 Loader.exe Token: SeDebugPrivilege 2304 Loader1.exe Token: SeDebugPrivilege 4496 Subfile.exe Token: SeDebugPrivilege 4496 Subfile.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Subfile.exepid process 4496 Subfile.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
cmd.exedescription pid process target process PID 4812 wrote to memory of 5080 4812 cmd.exe powershell.exe PID 4812 wrote to memory of 5080 4812 cmd.exe powershell.exe PID 4812 wrote to memory of 1016 4812 cmd.exe powershell.exe PID 4812 wrote to memory of 1016 4812 cmd.exe powershell.exe PID 4812 wrote to memory of 1288 4812 cmd.exe schtasks.exe PID 4812 wrote to memory of 1288 4812 cmd.exe schtasks.exe PID 4812 wrote to memory of 1432 4812 cmd.exe schtasks.exe PID 4812 wrote to memory of 1432 4812 cmd.exe schtasks.exe PID 4812 wrote to memory of 1608 4812 cmd.exe attrib.exe PID 4812 wrote to memory of 1608 4812 cmd.exe attrib.exe PID 4812 wrote to memory of 1740 4812 cmd.exe Loader.exe PID 4812 wrote to memory of 1740 4812 cmd.exe Loader.exe PID 4812 wrote to memory of 1740 4812 cmd.exe Loader.exe PID 4812 wrote to memory of 2304 4812 cmd.exe Loader1.exe PID 4812 wrote to memory of 2304 4812 cmd.exe Loader1.exe PID 4812 wrote to memory of 2304 4812 cmd.exe Loader1.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Config.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users" -force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Microsoft\SubDir\Subfile0" /tr "C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe" /RL HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Microsoft\SubDir\Subfile1" /tr "C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe" /RL HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Roaming\SubDirr2⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Loader.exeloader.exe -pP@$$W@RD@@2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Loader1.exeloader1.exe -pP@$$W@RD@@2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exeC:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exeC:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\System\symsrv.dllMD5
7574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
9df7f307a86ab2e65f83ea16549bdc13
SHA194bc3cdeb5d4521b81cad32ca4a7707b8a8205f3
SHA25636effe36c710ccc2bb87572d4b4146ca01ab902805346c587e8cd729a5af4f6c
SHA512413053b4bb6f372564fb129b3944cebc448a0fe82117c3202d63f6f00f05c9d6a47657b828895de49a1742e1d432ad86ad74fcb1693f5141ec1910ee57826795
-
C:\Users\Admin\AppData\Local\Temp\A1D26E2\81A97546CC.tmpMD5
a0f5d9448eed029fef6d9944df015832
SHA1560dc39fbdccf26465005baf60648d3e0e41b32a
SHA25602d46c7d93d8be4e82fd29d9452203f86d75476dbfcc952efa63360a260fb242
SHA512c41251267d6c42aa916df9e15304e839b0cb9087c834c9aa2a3b912b91c67ba1804e0a1854c64b14654d9ead03e1ed0e4a4ca3a4fd87616f7ad47c8edcec12d7
-
C:\Users\Admin\AppData\Local\Temp\A1D26E2\835EB0C900.tmpMD5
cb12a9883105636361815cc05ae84a9b
SHA1e200f1b9553254dac2771c11e9c7eaf39095803c
SHA256fb6f81aaf1dbe4cf4a182b2f049504c2b137cf714eacddf8debc7087d52414e7
SHA51236dd29e931d771802e4f39ece4cb3ab6bff777457304d3242b88189ebd8a2650a68dba2b100309f6a5962af2d92416f91f0ad0e323e98d7276b2ecec0c657fec
-
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exeMD5
3e5da207d7655d267515b8fd7fe35b8a
SHA185a81b28b919d283c7ae1df1a6c8c45dc0ff756a
SHA256db4b1a7399ad2e1fc3d8e64cb9e870a4b7f36ef629614517942a4b7318c29f42
SHA512f097cfdaa714fe1dfcb360467010597015ba1ff4ca686d340d1775bdeadbe02d4d9ec064d78e20add0c29bd4f06f8ef9ee572f2374031a6313af2f7602c0530d
-
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exeMD5
3e5da207d7655d267515b8fd7fe35b8a
SHA185a81b28b919d283c7ae1df1a6c8c45dc0ff756a
SHA256db4b1a7399ad2e1fc3d8e64cb9e870a4b7f36ef629614517942a4b7318c29f42
SHA512f097cfdaa714fe1dfcb360467010597015ba1ff4ca686d340d1775bdeadbe02d4d9ec064d78e20add0c29bd4f06f8ef9ee572f2374031a6313af2f7602c0530d
-
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exeMD5
4fb7326fe1263d2f0626ee186195b891
SHA1f2ceda16fe3ba9e90e2b17f77879278923fb3fe9
SHA256d4641707fb9daa4f2e4e30f869a968f022f98c1067a9d8a9bd21ab22e56f82f4
SHA512f4191396b94e1517af938a9ca6068686956e99b2bde98ed6dccc14c05ecf016c11a75010c5e911a52524886e9404cb001d68832230b15d455fab514ddd9fce7a
-
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exeMD5
4fb7326fe1263d2f0626ee186195b891
SHA1f2ceda16fe3ba9e90e2b17f77879278923fb3fe9
SHA256d4641707fb9daa4f2e4e30f869a968f022f98c1067a9d8a9bd21ab22e56f82f4
SHA512f4191396b94e1517af938a9ca6068686956e99b2bde98ed6dccc14c05ecf016c11a75010c5e911a52524886e9404cb001d68832230b15d455fab514ddd9fce7a
-
\Program Files\Common Files\System\symsrv.dllMD5
7574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
\Program Files\Common Files\System\symsrv.dllMD5
7574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
\Program Files\Common Files\System\symsrv.dllMD5
7574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
memory/1016-12-0x00000213C4EF0000-0x00000213C4EF2000-memory.dmpFilesize
8KB
-
memory/1016-17-0x00000213C4EF6000-0x00000213C4EF8000-memory.dmpFilesize
8KB
-
memory/1016-22-0x00000213C4EF8000-0x00000213C4EF9000-memory.dmpFilesize
4KB
-
memory/1016-13-0x00000213C4EF3000-0x00000213C4EF5000-memory.dmpFilesize
8KB
-
memory/1016-11-0x00007FFA613A0000-0x00007FFA61D8C000-memory.dmpFilesize
9.9MB
-
memory/1016-9-0x0000000000000000-mapping.dmp
-
memory/1288-18-0x0000000000000000-mapping.dmp
-
memory/1432-19-0x0000000000000000-mapping.dmp
-
memory/1608-20-0x0000000000000000-mapping.dmp
-
memory/1740-21-0x0000000000000000-mapping.dmp
-
memory/2304-24-0x0000000000000000-mapping.dmp
-
memory/4496-38-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/4496-48-0x00000000069E0000-0x00000000069E1000-memory.dmpFilesize
4KB
-
memory/4496-47-0x0000000006660000-0x0000000006661000-memory.dmpFilesize
4KB
-
memory/4496-46-0x0000000006290000-0x0000000006291000-memory.dmpFilesize
4KB
-
memory/4496-45-0x0000000005FB0000-0x0000000005FB1000-memory.dmpFilesize
4KB
-
memory/4496-44-0x0000000005980000-0x0000000005981000-memory.dmpFilesize
4KB
-
memory/4496-42-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/4496-41-0x0000000006D90000-0x0000000006D91000-memory.dmpFilesize
4KB
-
memory/4496-39-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/4496-37-0x0000000073A70000-0x000000007415E000-memory.dmpFilesize
6.9MB
-
memory/4500-43-0x000000001B5C0000-0x000000001B5C2000-memory.dmpFilesize
8KB
-
memory/4500-34-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/4500-31-0x00007FFA613A0000-0x00007FFA61D8C000-memory.dmpFilesize
9.9MB
-
memory/5080-3-0x00007FFA613A0000-0x00007FFA61D8C000-memory.dmpFilesize
9.9MB
-
memory/5080-4-0x0000022739370000-0x0000022739371000-memory.dmpFilesize
4KB
-
memory/5080-2-0x0000000000000000-mapping.dmp
-
memory/5080-5-0x0000022736B00000-0x0000022736B02000-memory.dmpFilesize
8KB
-
memory/5080-7-0x0000022739520000-0x0000022739521000-memory.dmpFilesize
4KB
-
memory/5080-6-0x0000022736B03000-0x0000022736B05000-memory.dmpFilesize
8KB
-
memory/5080-8-0x0000022736B06000-0x0000022736B08000-memory.dmpFilesize
8KB