Overview

overview

10

Static

static

178e5e0d6d...de.exe

windows7_x64

10

178e5e0d6d...de.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de

  • Size

    6.8MB

  • Sample

    220215-txchpshab2

  • MD5

    4d8eb19e4c6ad857cf5f0b1eed9613a6

  • SHA1

    a907eb422049512f9efcfbefc7bf9fb5a2500d89

  • SHA256

    178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de

  • SHA512

    74a2be4e0acdb4378f20a7b9ca4ac753fa0faad57b67163d087e1ec79df808e1ffc2d5687e6404a126645939f4dd8128a095077d85ac933aaa7fdeba3e4714ce

Score
10/10
quasarvapeuserevasionspywarethemidatrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

VapeUser

C2

pangrowman.myddns.me:4782

Mutex

d7ca8b59-e988-46e5-b633-b83737aaab77

Attributes
  • encryption_key

    843E9B8CFBAC676CE893EA246D37E169B7DB0FB4

  • install_name

    MicrosoftSupport.exe

  • log_directory

    Logs

  • reconnect_delay

    5000

  • startup_key

    Windows Support

  • subdirectory

    Windows

Targets

    • Target

      178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de

    • Size

      6.8MB

    • MD5

      4d8eb19e4c6ad857cf5f0b1eed9613a6

    • SHA1

      a907eb422049512f9efcfbefc7bf9fb5a2500d89

    • SHA256

      178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de

    • SHA512

      74a2be4e0acdb4378f20a7b9ca4ac753fa0faad57b67163d087e1ec79df808e1ffc2d5687e6404a126645939f4dd8128a095077d85ac933aaa7fdeba3e4714ce

    Score
    10/10
    quasarvapeuserevasionspywarethemidatrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks