Overview

overview

10

Static

static

10

9C78846071...F9.exe

windows7_x64

10

9C78846071...F9.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9C78846071126D7F29A8B82B699903031D7D2CD837DF9.exe

  • Size

    1.5MB

  • Sample

    220604-xy1hpsgdal

  • MD5

    58a250aeb22f0040185210402d4243b3

  • SHA1

    cb74b3dba0e3ef8073f03810a0232da641b8a587

  • SHA256

    9c78846071126d7f29a8b82b699903031d7d2cd837df91584fd1ee7eb7b8c93b

  • SHA512

    72aea6fd61661826dad7de76d7e998de0f91cf9992282cb16dcf11ca8a32c64b249839f9680b6a0a95b848c2f57fb4b1d5d80f300007656edd8ad95c7afe4980

Score
10/10
quasarredlinevenomratawsrv/r/bdiscoveryevasioninfostealerratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Mutex

Attributes
  • encryption_key

  • install_name

  • log_directory

  • reconnect_delay

    3000

  • startup_key

  • subdirectory

Extracted

Family

redline

Botnet

AwsR

C2

siyatermi.duckdns.org:17044

Extracted

Family

quasar

Version

2.1.0.0

Botnet

V/R/B

C2

siyatermi.duckdns.org:1518

Mutex

VNM_MUTEX_mJ6pCWZMe3OMOha5bj

Attributes
  • encryption_key

    g1Bi32PXFGwyBI9DJGTD

  • install_name

    Start Process.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Browser Module

  • subdirectory

    Sys Resources

Targets

    • Target

      9C78846071126D7F29A8B82B699903031D7D2CD837DF9.exe

    • Size

      1.5MB

    • MD5

      58a250aeb22f0040185210402d4243b3

    • SHA1

      cb74b3dba0e3ef8073f03810a0232da641b8a587

    • SHA256

      9c78846071126d7f29a8b82b699903031d7d2cd837df91584fd1ee7eb7b8c93b

    • SHA512

      72aea6fd61661826dad7de76d7e998de0f91cf9992282cb16dcf11ca8a32c64b249839f9680b6a0a95b848c2f57fb4b1d5d80f300007656edd8ad95c7afe4980

    Score
    10/10
    quasarredlinevenomratawsrv/r/bdiscoveryevasioninfostealerratrootkitspywarestealersuricatatrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

      ratrootkitstealervenomrat

    • suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks