General
-
Target
9C78846071126D7F29A8B82B699903031D7D2CD837DF9.exe
-
Size
1.5MB
-
Sample
220604-xysg4agchq
-
MD5
58a250aeb22f0040185210402d4243b3
-
SHA1
cb74b3dba0e3ef8073f03810a0232da641b8a587
-
SHA256
9c78846071126d7f29a8b82b699903031d7d2cd837df91584fd1ee7eb7b8c93b
-
SHA512
72aea6fd61661826dad7de76d7e998de0f91cf9992282cb16dcf11ca8a32c64b249839f9680b6a0a95b848c2f57fb4b1d5d80f300007656edd8ad95c7afe4980
Malware Config
Extracted
quasar
- encryption_key
- install_name
- log_directory
-
reconnect_delay
3000
- startup_key
- subdirectory
Extracted
redline
AwsR
siyatermi.duckdns.org:17044
Extracted
quasar
2.1.0.0
V/R/B
siyatermi.duckdns.org:1518
VNM_MUTEX_mJ6pCWZMe3OMOha5bj
-
encryption_key
g1Bi32PXFGwyBI9DJGTD
-
install_name
Start Process.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Browser Module
-
subdirectory
Sys Resources
Targets
-
-
Target
9C78846071126D7F29A8B82B699903031D7D2CD837DF9.exe
-
Size
1.5MB
-
MD5
58a250aeb22f0040185210402d4243b3
-
SHA1
cb74b3dba0e3ef8073f03810a0232da641b8a587
-
SHA256
9c78846071126d7f29a8b82b699903031d7d2cd837df91584fd1ee7eb7b8c93b
-
SHA512
72aea6fd61661826dad7de76d7e998de0f91cf9992282cb16dcf11ca8a32c64b249839f9680b6a0a95b848c2f57fb4b1d5d80f300007656edd8ad95c7afe4980
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar Payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-