Overview

overview

10

Static

static

10

The increa...ed.pdf

windows7_x64

1

The increa...ed.pdf

windows10-2004_x64

1

The increa...df.exe

windows7_x64

10

The increa...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19-03-2022 13:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    The increasingly complicated Russia-Ukraine crisis explained.pdf.exe

  • Size

    713KB

  • MD5

    19338d49c7f6a98163ed63ca165a6d9d

  • SHA1

    bbb9bf63efc448706f974050bef23bb1edd13782

  • SHA256

    b4e3216803e2ec15ff0df82bf47656df179a4efa977eb187607bab0c38909a00

  • SHA512

    b8c9235a9a825284dcd3bf5c210f1f842e90639c4459ae1728e2e96aa738a9f8fdf7a119cc2d4e92a5400870644c571278f0f33679d7b398d399c981c8a6fa31

Score
10/10
quasarpdfspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

PDF

C2

https://web.sunvn.net:4782

https://taisunwin.club:4782

https://web.sunwinvn.vip:4782

http://b29.bet:4782

https://playgo88.fun:4782

https://choigo88.us:4782
Mutex

ca1a9340-65d7-49a9-b045-50c69210b55d

Attributes
  • encryption_key

    9C84151BA76B2D40C2A4C55E8D137720CE7C0137

  • install_name

    PDF.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    PDF Reader

  • subdirectory

    PDF Reader

Signatures

  • Quasar Payload 1 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Drops file in Program Files directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\The increasingly complicated Russia-Ukraine crisis explained.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\The increasingly complicated Russia-Ukraine crisis explained.pdf.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "PDF Reader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\The increasingly complicated Russia-Ukraine crisis explained.pdf.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2000-130-0x0000000000F80000-0x0000000001038000-memory.dmp
    Filesize

    736KB

    Download
  • memory/2000-132-0x000000001D210000-0x000000001D212000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2000-131-0x00007FF8F9B20000-0x00007FF8FA5E1000-memory.dmp
    Filesize

    10.8MB

    Download