Overview

overview

10

Static

static

3B6F8FE872...A9.exe

windows7_x64

10

3B6F8FE872...A9.exe

windows10-2004_x64

10

Resubmissions

31/03/2025, 16:47

250331-vak21atwcy 10

31/03/2025, 16:04

250331-thy36as1es 10

31/03/2022, 10:22

220331-md8cpsada5 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe

  • Size

    3.6MB

  • Sample

    220331-md8cpsada5

  • MD5

    cf56adaf1236aa52a98723c8aa61ff84

  • SHA1

    00a517dfa5a9294f5619a7a1d8d0181966692768

  • SHA256

    3b6f8fe87241a3af1ff1414c5223a20b97f2bb2b7b7a9cb574077e253fb6db88

  • SHA512

    2ef67cad31b4792fe066c2cd2f8a745493cf6bd1cab055e689ffa02bb8ec656746f28d06ae0dd6a4a88043c35ac7cf5cc18c3165e81959ef6b6d87ca12a9742b

Score
10/10
quasarredlinecheatimages.exediscoveryevasioninfostealerpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

quasar

Version

2.8.0.1

Botnet

Images.exe

C2

85.215.222.129:65535

Mutex

G8fgKgmsR7tqiTolCN

Attributes
  • encryption_key

    SLsfHXfM5GTIubFvF50I

  • install_name

    Images.exe

  • log_directory

    FiveM_Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

  • subdirectory

Extracted

Family

redline

Botnet

cheat

C2

85.215.222.129:43240

Targets

    • Target

      3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe

    • Size

      3.6MB

    • MD5

      cf56adaf1236aa52a98723c8aa61ff84

    • SHA1

      00a517dfa5a9294f5619a7a1d8d0181966692768

    • SHA256

      3b6f8fe87241a3af1ff1414c5223a20b97f2bb2b7b7a9cb574077e253fb6db88

    • SHA512

      2ef67cad31b4792fe066c2cd2f8a745493cf6bd1cab055e689ffa02bb8ec656746f28d06ae0dd6a4a88043c35ac7cf5cc18c3165e81959ef6b6d87ca12a9742b

    Score
    10/10
    quasarredlinecheatimages.exeevasioninfostealerpersistencespywarethemidatrojandiscoverystealer

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks