Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp

  • Size

    7.0MB

  • Sample

    220905-vw9x9acefn

  • MD5

    1e5e25ae0b7ae0990dfac7d92a280213

  • SHA1

    3202d9ba9cc4a372b0b48a82b22a97fd7576b5ff

  • SHA256

    5b5df0d2cd1454c347a973e5278c8289830383bf937afa7c26b20426617f2462

  • SHA512

    da5982c4b95449fa0a639beda9bcd1d86bda997a56c69a2e6358ea378b54ee2b2be18030a4ac6f563669da2cda5994ceba83b3ad02a701ca4e56ce51a4d1cabb

  • SSDEEP

    196608:7mA20NKKI/0BfjFj0U5mEqddH/qW907NKHBk/alv/bgNTtNalBMskBQFs8AbA9mv:7T20NKKI/0BfjFj0U5mEqddH/qW907NE

Score
10/10
bitratquasarxenarmoryoworldaspackv2collectionpasswordpersistencerecoveryspywarestealertrojanupx

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Yoworld

C2

anubisgod.duckdns.org:1338

Mutex

ec434dcc-84b6-4a93-9358-be83ce93fef5

Attributes
  • encryption_key

    0411D8B9B23547F86733347B0634010F112E158F

  • install_name

    Dlscord.exe

  • log_directory

    DlscordLogs

  • reconnect_delay

    3000

  • startup_key

    Dlscord

  • subdirectory

    Dlscord

Extracted

Family

bitrat

Version

1.38

C2

anubisgod.duckdns.org:1440

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • install_dir

    spottifyy

  • install_file

    spottifyy.exe

  • tor_process

    tor

Targets

    • Target

      tmp

    • Size

      7.0MB

    • MD5

      1e5e25ae0b7ae0990dfac7d92a280213

    • SHA1

      3202d9ba9cc4a372b0b48a82b22a97fd7576b5ff

    • SHA256

      5b5df0d2cd1454c347a973e5278c8289830383bf937afa7c26b20426617f2462

    • SHA512

      da5982c4b95449fa0a639beda9bcd1d86bda997a56c69a2e6358ea378b54ee2b2be18030a4ac6f563669da2cda5994ceba83b3ad02a701ca4e56ce51a4d1cabb

    • SSDEEP

      196608:7mA20NKKI/0BfjFj0U5mEqddH/qW907NKHBk/alv/bgNTtNalBMskBQFs8AbA9mv:7T20NKKI/0BfjFj0U5mEqddH/qW907NE

    Score
    10/10
    bitratquasaryoworldaspackv2persistencespywaretrojanxenarmorcollectionpasswordrecoverystealerupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • XenArmor Suite

      XenArmor is as suite of password recovery tools for various application.

      recoverypasswordxenarmor

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks