Overview

overview

10

Static

static

7

3976b6d82c...1a.exe

windows7_x64

10

3976b6d82c...1a.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a

  • Size

    3.1MB

  • Sample

    220520-3taz5scdcj

  • MD5

    bee78b7c6bf3e0794fd5351b5a4ebeea

  • SHA1

    19744fe4bb1a73c803f5c8e3f8c715f2e08ada9b

  • SHA256

    3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a

  • SHA512

    041cf0f734d316d34b5a7ec39eff1246a783c1864820af43df1ad8c5766af2fbbcaf816af48ef81e0924449159282751b385b2eeb3f3c404b5da6c4f674974d9

Score
10/10
quasarpowerevasionspywaresuricatathemidatrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Power

C2

5.45.67.165:2874

Mutex

QSR_MUTEX_lCaExbOzxDAtqtYVRp

Attributes
  • encryption_key

    d5QxWp96Drx5Tu8vGyyl

  • install_name

    gottem.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Frengate

  • subdirectory

    SubDir

Targets

    • Target

      3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a

    • Size

      3.1MB

    • MD5

      bee78b7c6bf3e0794fd5351b5a4ebeea

    • SHA1

      19744fe4bb1a73c803f5c8e3f8c715f2e08ada9b

    • SHA256

      3976b6d82c6f6c735054205550437992189c4495b04afcabcf4f841639957f1a

    • SHA512

      041cf0f734d316d34b5a7ec39eff1246a783c1864820af43df1ad8c5766af2fbbcaf816af48ef81e0924449159282751b385b2eeb3f3c404b5da6c4f674974d9

    Score
    10/10
    quasarpowerevasionspywaresuricatathemidatrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks