icexloader | 60dc14153f386290f2bac0790860a900f665eeb26528cc02befdd222bfbc343e | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-1703-x64

Sharing

General

Target

60dc14153f386290f2bac0790860a900f665eeb26528cc02befdd222bfbc343e
Size

12KB
Sample

220912-hcv9jacfh5
MD5

bb0d07a298fca239c73f2da04aa38e36
SHA1

e1f27efbb98e4c8cbe4d04328572a94f75677e73
SHA256

60dc14153f386290f2bac0790860a900f665eeb26528cc02befdd222bfbc343e
SHA512

2927bbdb6d0f2c301f5f89f42de2bf84f3a9d510c5a97cab2b840d8ec58dbe740dc0cf06a94b86ad474eebfdebcaaac1065c70ead2820a762b79e1bd7938984a
SSDEEP

192:aL859CLPN0L59JUMmYVY2qq3qWr1b6faadrq8uSF3e:68PCLPN01PUMme3l3Tr1b6fJUSFu

Score

10^/10

icexloader quasar 2cca loader persistence spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

60dc14153f386290f2bac0790860a900f665eeb26528cc02befdd222bfbc343e.exe

Resource

win10-20220901-en

icexloader quasar 2cca loader persistence spyware trojan

windows10-1703-x64

18 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://microsoftdownload.ddns.net:8808/downloader/WinSecurityUpdate

Extracted

Family

icexloader

C2

http://microsoftdownload.ddns.net:8808/Server/Script.php

Extracted

Family

quasar

Version

2.7.0.0

Botnet

2CCA

C2

thisisfakeih2d.ddns.net:4545

Mutex

GXLGIiyQp5wWhAjcFv

Attributes

encryption_key
JsEHaZbfJjURZfPkp9qk
install_name
face.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Client

Targets

- Target
  
  60dc14153f386290f2bac0790860a900f665eeb26528cc02befdd222bfbc343e
- Size
  
  12KB
- MD5
  
  bb0d07a298fca239c73f2da04aa38e36
- SHA1
  
  e1f27efbb98e4c8cbe4d04328572a94f75677e73
- SHA256
  
  60dc14153f386290f2bac0790860a900f665eeb26528cc02befdd222bfbc343e
- SHA512
  
  2927bbdb6d0f2c301f5f89f42de2bf84f3a9d510c5a97cab2b840d8ec58dbe740dc0cf06a94b86ad474eebfdebcaaac1065c70ead2820a762b79e1bd7938984a
- SSDEEP
  
  192:aL859CLPN0L59JUMmYVY2qq3qWr1b6faadrq8uSF3e:68PCLPN01PUMme3l3Tr1b6fJUSFu
Score

10^/10

icexloader quasar 2cca loader persistence spyware trojan
- Detects IceXLoader v3.0
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- icexloader
  IceXLoader is a downloader used to deliver other malware families.
  loader icexloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

icexloaderquasar2ccaloaderpersistencespywaretrojan

© 2018-2024

Terms | Privacy