Overview

overview

10

Static

static

10

MAGICD_1.exe

windows7_x64

10

MAGICD_1.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MAGICD_1.exe.vir

  • Size

    12.8MB

  • Sample

    220618-n8lb4agffp

  • MD5

    ae6fe2df78169ded8716bb674c717f63

  • SHA1

    2766c35c6959da709609f64a3dc1a0154ec2ef5e

  • SHA256

    74aee30ce1fd2e305307be59aa6b15b8a33854af361242547826f3b77a6bb169

  • SHA512

    ca89706908eb7be6f1f3ce4987d1a3718d05b17c09724e849a272d55492ca5ec80e2d9f89b5cc60bebc5e1883be428f890ea062abd7c97585ee0277917007b69

Score
10/10
quasarredlinevenomratawsrv/r/bdiscoveryevasioninfostealerpyinstallerratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Family

redline

Botnet

AwsR

C2

siyatermi.duckdns.org:17044

Extracted

Family

quasar

Version

2.1.0.0

Botnet

V/R/B

C2

siyatermi.duckdns.org:1518

Mutex

VNM_MUTEX_mJ6pCWZMe3OMOha5bj

Attributes
  • encryption_key

    g1Bi32PXFGwyBI9DJGTD

  • install_name

    Start Process.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Browser Module

  • subdirectory

    Sys Resources

Targets

    • Target

      MAGICD_1.exe.vir

    • Size

      12.8MB

    • MD5

      ae6fe2df78169ded8716bb674c717f63

    • SHA1

      2766c35c6959da709609f64a3dc1a0154ec2ef5e

    • SHA256

      74aee30ce1fd2e305307be59aa6b15b8a33854af361242547826f3b77a6bb169

    • SHA512

      ca89706908eb7be6f1f3ce4987d1a3718d05b17c09724e849a272d55492ca5ec80e2d9f89b5cc60bebc5e1883be428f890ea062abd7c97585ee0277917007b69

    Score
    10/10
    quasarredlinevenomratawsrv/r/bdiscoveryevasioninfostealerpyinstallerratrootkitspywarestealersuricatatrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

      ratrootkitstealervenomrat

    • suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks