Overview

overview

10

Static

static

teamredmin...v8.bat

windows7_x64

10

teamredmin...v8.bat

windows10-2004_x64

9

teamredmin...i2.bat

windows7_x64

10

teamredmin...i2.bat

windows10-2004_x64

9

teamredmin...er.exe

windows7_x64

10

teamredmin...er.exe

windows10-2004_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    55e326edd8ef12202de73dbc00c036fc01b17e808b3553080279f49946800eb3

  • Size

    6.6MB

  • Sample

    220520-rsgkrabccj

  • MD5

    3591f0e7626a03ee957de228012bb4d1

  • SHA1

    1c2c2f937042ead9defd36219834814afea17d6c

  • SHA256

    55e326edd8ef12202de73dbc00c036fc01b17e808b3553080279f49946800eb3

  • SHA512

    a9ca0c7bea8d44c2a72cf9fd8dcdbe6e8a75041268a738817e0be100b0f9d3056e43737ef443b0635b81402708baf5faef19e74012f94b6d7b5b4e5549625bcb

Score
10/10
quasardendiminerspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

dendi

C2

185.244.217.92:4782

Mutex

QSR_MUTEX_LTcjNqRb6NS57npmpd

Attributes
  • encryption_key

    YaVqqMF3gVTZOI5Xevop

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      teamredminer-v0.3.4-win/start_cnv8.bat

    • Size

      1KB

    • MD5

      2a3678b82753d786ac3a98c6ae19cc49

    • SHA1

      274dddcba965bf2949d64c687e719cb66030b484

    • SHA256

      ee912ceb57f257d5a6a3911b0954aa4de7d8eb46dd6e1bb8d6f245a2c400f404

    • SHA512

      1b31a7a5083606966f92814901f66e9266c16733669027171fbd21ed0ac4f981f0d0426ebe8d2544b2cd32fa03352d1f43fc17cf0372eb9f6cd2383bd916df1e

    Score
    10/10
    quasardendiminerspywaretrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Detected Stratum cryptominer command

      Looks to be attempting to contact Stratum mining pool.

      miner

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      teamredminer-v0.3.4-win/start_phi2.bat

    • Size

      927B

    • MD5

      2f5b96aaa09dae557f546301a20f9dfb

    • SHA1

      8c230a96d946d347689b0edb255b24d7182c7cc7

    • SHA256

      5b8b3795c0b2f91f0521de9f26588b0a2dc314e2a74ec73609ff8b8d14dfe6b8

    • SHA512

      b608ffb452e93f621f1c4422a24909ffcf2ab0008377abd4873f13bbb567f4ffd652d2b2dec525c12473b61b54125bc232e4ca545d6bbcfa9c7c4126288ae7cd

    Score
    10/10
    quasardendiminerspywaretrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Detected Stratum cryptominer command

      Looks to be attempting to contact Stratum mining pool.

      miner

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      teamredminer-v0.3.4-win/teamredminer.exe

    • Size

      6.7MB

    • MD5

      cce80dbe14de96ca15817477b0ac8c03

    • SHA1

      1824ea8e2d15183458e03d40605a097d32565f64

    • SHA256

      f83e0cb2498d6a7044809bf234e29208b193022b2485a0695f2671e061a7272e

    • SHA512

      d52713b297741a8f15092819b3a8f3e56651ce41ef86f29b484c0f9d4536b8b6cf763f88069a030f9a4995f2e2b8040a0c7a50e90c049483bc68933798219635

    Score
    10/10
    quasardendispywaretrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

MITRE ATT&CK Matrix

Tasks