Overview

overview

10

Static

static

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp

  • Size

    107KB

  • Sample

    220728-fw3fvaggd3

  • MD5

    f8a7a4c5d75bfda7dbadf09e3a39e089

  • SHA1

    4527a2ff764c084e55c190d98824ef664a6f1892

  • SHA256

    6bb0ee5036962c86db2292f5ccd21d63a22cbb17a6937c0d89b53ea97b77e8e6

  • SHA512

    54887714264f38063eb6166b3d77ba949ddf2b70d169f5d24fdddadb4cee8572d25031b0bcb0ecaa87deccce7b4449d41e7017debf2db7933598c9f18bd735e1

Score
10/10
bitratquasarredlinecheatoffice04discoveryinfostealerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

nicehash.at:1338

Attributes
  • auth_value

    8095fccd90c93353aaa1fc77bca0ff3f

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

nicehash.at:4000

Mutex

dc4bad02-e33b-461d-8bb2-c976586d2ac0

Attributes
  • encryption_key

    51DF8E701C6F05B28BEC40BEB21419EF5FEC8A38

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    300

  • startup_key

    JavaClient Startup

  • subdirectory

    JavaTools

Extracted

Family

bitrat

Version

1.38

C2

nicehash.at:6000

Attributes
  • communication_password

    74963e9852aafd36ba521fa22b39e244

  • install_dir

    localappdata

  • install_file

    Java.exe

  • tor_process

    tor

Targets

    • Target

      tmp

    • Size

      107KB

    • MD5

      f8a7a4c5d75bfda7dbadf09e3a39e089

    • SHA1

      4527a2ff764c084e55c190d98824ef664a6f1892

    • SHA256

      6bb0ee5036962c86db2292f5ccd21d63a22cbb17a6937c0d89b53ea97b77e8e6

    • SHA512

      54887714264f38063eb6166b3d77ba949ddf2b70d169f5d24fdddadb4cee8572d25031b0bcb0ecaa87deccce7b4449d41e7017debf2db7933598c9f18bd735e1

    Score
    10/10
    bitratquasarredlinecheatoffice04discoveryinfostealerpersistencespywarestealertrojanupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks