General

  • Target

    tmp

  • Size

    7.0MB

  • Sample

    220922-ww7csscbd6

  • MD5

    90d11bc40e17839b51fcf6a2f0aebb12

  • SHA1

    66139f98aa2efbde94c5a6d5b6abd7099b1ac8b7

  • SHA256

    cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5

  • SHA512

    27298c219857f990a8cd8920e6380ffcac3d2952690df6b5d88833a085abaca2933a4637b7aeabbe83ed3c069d59895b583eb60950742ae299b718271d82e29b

  • SSDEEP

    196608:SmA20NKKI/0BfjFj0U5mEqddH/qW907NKHBk/alv/bgNTtNalBMskBQFs8AbA9mv:ST20NKKI/0BfjFj0U5mEqddH/qW907NE

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

anubisgod.duckdns.org:1440

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • install_dir

    spottifyy

  • install_file

    spottifyy.exe

  • tor_process

    tor

Extracted

Family

quasar

Version

1.4.0

Botnet

Yoworld

C2

anubisgod.duckdns.org:1338

Mutex

ec434dcc-84b6-4a93-9358-be83ce93fef5

Attributes
  • encryption_key

    0411D8B9B23547F86733347B0634010F112E158F

  • install_name

    Dlscord.exe

  • log_directory

    DlscordLogs

  • reconnect_delay

    3000

  • startup_key

    Dlscord

  • subdirectory

    Dlscord

Targets

    • Target

      tmp

    • Size

      7.0MB

    • MD5

      90d11bc40e17839b51fcf6a2f0aebb12

    • SHA1

      66139f98aa2efbde94c5a6d5b6abd7099b1ac8b7

    • SHA256

      cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5

    • SHA512

      27298c219857f990a8cd8920e6380ffcac3d2952690df6b5d88833a085abaca2933a4637b7aeabbe83ed3c069d59895b583eb60950742ae299b718271d82e29b

    • SSDEEP

      196608:SmA20NKKI/0BfjFj0U5mEqddH/qW907NKHBk/alv/bgNTtNalBMskBQFs8AbA9mv:ST20NKKI/0BfjFj0U5mEqddH/qW907NE

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • XenArmor Suite

      XenArmor is as suite of password recovery tools for various application.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks