Overview

overview

10

Static

static

10

A83B168B62...45.exe

windows7_x64

10

A83B168B62...45.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    A83B168B629212E96AC8EF12ADB96D9241A16C0F33A45.exe

  • Size

    7.8MB

  • Sample

    220624-wnkttseafp

  • MD5

    f32a5cdef458cf233840a9c630cc40a2

  • SHA1

    5d116e407532c60f9a5fd7e923ca1e074eab8a74

  • SHA256

    a83b168b629212e96ac8ef12adb96d9241a16c0f33a459777e31a5b1b458282e

  • SHA512

    b97248664a14cee3d9edbe1bbcb04e149e7dc3c546e6137d39b536145a903c96f3be8d2aeb978be324a4fdda66fb9cc0f6cee0f83d7f3b97bbad55a5c5b9d2ee

Score
10/10
quasarredlinevenomratawsrv/r/bdiscoveryevasioninfostealerpyinstallerratrootkitspywarestealersuricatatrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Family

redline

Botnet

AwsR

C2

siyatermi.duckdns.org:17044

Extracted

Family

quasar

Version

2.1.0.0

Botnet

V/R/B

C2

siyatermi.duckdns.org:1518

Mutex

VNM_MUTEX_mJ6pCWZMe3OMOha5bj

Attributes
  • encryption_key

    g1Bi32PXFGwyBI9DJGTD

  • install_name

    Start Process.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Browser Module

  • subdirectory

    Sys Resources

Targets

    • Target

      A83B168B629212E96AC8EF12ADB96D9241A16C0F33A45.exe

    • Size

      7.8MB

    • MD5

      f32a5cdef458cf233840a9c630cc40a2

    • SHA1

      5d116e407532c60f9a5fd7e923ca1e074eab8a74

    • SHA256

      a83b168b629212e96ac8ef12adb96d9241a16c0f33a459777e31a5b1b458282e

    • SHA512

      b97248664a14cee3d9edbe1bbcb04e149e7dc3c546e6137d39b536145a903c96f3be8d2aeb978be324a4fdda66fb9cc0f6cee0f83d7f3b97bbad55a5c5b9d2ee

    Score
    10/10
    quasarredlinevenomratawsrv/r/bdiscoveryevasioninfostealerpyinstallerratrootkitspywarestealersuricatatrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

      ratrootkitstealervenomrat

    • suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks