Overview

overview

10

Static

static

Heart-Send...ip.exe

windows7_x64

10

Heart-Send...ip.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Heart-Sender-V1.2_Cracked_by_JC0der-FireEye_zip.exe

  • Size

    1.5MB

  • Sample

    210309-wjcpnc2khe

  • MD5

    39c155feba403930d14b9120798d2d32

  • SHA1

    f216c232a58b71c0f2cc0a869c722859c2cfcfa8

  • SHA256

    e42c1e8dd84758e1de952293324126e5bbe6de9cb58f63374eba6d20e01b4350

  • SHA512

    5c0b311d5329b218da69744573e40b463b94c1fb4efd2627d9976f2c7c933fd7ee21b0ad4effb87cd8d6387b4cc7fcddab3a1054f21e806cd79f090fa04cf4bb

Score
10/10
njratquasarredlinehackedtestheartevasioninfostealerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKedTEST

C2

chipo.publicvm.com:1177

Mutex

4c71585ab01a8f1344352fb1f26b00fd

Attributes
  • reg_key

    4c71585ab01a8f1344352fb1f26b00fd

  • splitter

    |'|'|

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Heart

C2

185.163.127.20:61110

Mutex

HRT_MUTEX_kecTsVDPnERdvianlr

Attributes
  • encryption_key

    3vnM9JqtaSdxUVqeTXSi

  • install_name

    Subfile.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDirr

Targets

    • Target

      Heart-Sender-V1.2_Cracked_by_JC0der-FireEye_zip.exe

    • Size

      1.5MB

    • MD5

      39c155feba403930d14b9120798d2d32

    • SHA1

      f216c232a58b71c0f2cc0a869c722859c2cfcfa8

    • SHA256

      e42c1e8dd84758e1de952293324126e5bbe6de9cb58f63374eba6d20e01b4350

    • SHA512

      5c0b311d5329b218da69744573e40b463b94c1fb4efd2627d9976f2c7c933fd7ee21b0ad4effb87cd8d6387b4cc7fcddab3a1054f21e806cd79f090fa04cf4bb

    Score
    10/10
    njratredlinehackedtestevasioninfostealerpersistencestealertrojanupxquasarheartspyware

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • rl_trojan

      redline stealer.

      stealer

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Modifies AppInit DLL entries

      persistence

    • Modifies Windows Firewall

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • autoit_exe

      AutoIT scripts compiled to PE executables.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

2
T1060

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Hidden Files and Directories

1
T1158

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks