Overview

overview

10

Static

static

bf79b08db6...31.exe

windows7_x64

10

bf79b08db6...31.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    176s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-05-2022 07:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31.exe

  • Size

    351KB

  • MD5

    ce5ad18cc090c8a1405f084d9144671d

  • SHA1

    67530a17331ad6477e4b25ef866412349791a3cb

  • SHA256

    bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31

  • SHA512

    66f3d07eb12c2a94f30fd37dadf832769fb87d10be3751f91ac474f4e72d86b535c5159f7fe2ac80500a844e9a7ace0db1d6dac69c1150475f03c207b9e8bc2a

Score
10/10
quasarvenomrat1ratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

1

C2

10.0.2.15:1337

Mutex

VNM_MUTEX_28broDsmlFWTzx7r3B

Attributes
  • encryption_key

    0hi0YaDWMh7jhT37Tcsm

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Defender

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 4 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Quasar Payload 4 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31.exe
    "C:\Users\Admin\AppData\Local\Temp\bf79b08db6040f007e6ba07e7628388df2ab9f666e75b16e230d3e9d8600ab31.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Users\Admin\AppData\Local\Temp\Iwpblky.exe
      "C:\Users\Admin\AppData\Local\Temp\Iwpblky.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Iwpblky.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1384
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1708

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Iwpblky.exe
    Filesize

    534KB

    MD5

    7877fc84e5fad8018d10fedee3fd7b4e

    SHA1

    ee58d0a7ee2db778d20bf292393696614443fefa

    SHA256

    2a2e8ebc771d27fc3b32a7e059e1f9aa458324cb225ebea2b4bed0acd191e1be

    SHA512

    ba5a3e9072876c89f1c2bb40e748fd6eb7ae0c9eb99756ab4bcd1bb5d5b1dedb1e517b0e3efd354cf3ed58bb3c49b8d365d340d95781b8eb8577e22ab0675175

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Iwpblky.exe
    Filesize

    534KB

    MD5

    7877fc84e5fad8018d10fedee3fd7b4e

    SHA1

    ee58d0a7ee2db778d20bf292393696614443fefa

    SHA256

    2a2e8ebc771d27fc3b32a7e059e1f9aa458324cb225ebea2b4bed0acd191e1be

    SHA512

    ba5a3e9072876c89f1c2bb40e748fd6eb7ae0c9eb99756ab4bcd1bb5d5b1dedb1e517b0e3efd354cf3ed58bb3c49b8d365d340d95781b8eb8577e22ab0675175

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Jzgizllmjonfo.jpg
    Filesize

    18KB

    MD5

    482df92fbac57cd628c411930acc1be5

    SHA1

    72c1e39321c579358a456739df266277b1d16448

    SHA256

    db60af6f42acb7f58ad8a9267c9b59eb31f943023d08c48c1a35907f9aab54bf

    SHA512

    3976da093e141e0ca2caae12ed2317042b6ce402ccf897aac5b5a886ebd1e0dd94f80e9c19faed31ecdc49f1a522ed78a2f9b93c156ad0ca362aff3f7f1fc3e4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Iwpblky.exe
    Filesize

    534KB

    MD5

    7877fc84e5fad8018d10fedee3fd7b4e

    SHA1

    ee58d0a7ee2db778d20bf292393696614443fefa

    SHA256

    2a2e8ebc771d27fc3b32a7e059e1f9aa458324cb225ebea2b4bed0acd191e1be

    SHA512

    ba5a3e9072876c89f1c2bb40e748fd6eb7ae0c9eb99756ab4bcd1bb5d5b1dedb1e517b0e3efd354cf3ed58bb3c49b8d365d340d95781b8eb8577e22ab0675175

    Download Submit

  • memory/1792-54-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1792-55-0x0000000075C51000-0x0000000075C53000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2012-60-0x0000000000840000-0x00000000008CC000-memory.dmp

    Filesize

    560KB

    Download