plaguebot | 81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2022 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe
Size

967KB
MD5

b03ccade490854df220914c4430967e2
SHA1

1911a59e8c4b427d3fbc8fc9c794886bd2d81305
SHA256

81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961
SHA512

0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36
SSDEEP

24576:xNxsglIPAtgV+rnEQBg2AdqgwGd9OCPltP0gxkR3dCqJO5VxQ75Sf1:57uKrnEQi2Ad/wQPLP0gx1qt5Sf1

Score

10^/10

plaguebot quasar skynet botnet spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

SKYNET

173.225.115.99:7702

Mutex

938cda17-a814-4925-8420-83a35a350164

Attributes

encryption_key
F04A75E6507173FAEEC2BB82C564030A5E8413FF
install_name
FileHistory.exe
log_directory
Logs
reconnect_delay
4000
startup_key
FileHistory
subdirectory
FileHistory

Signatures

PlagueBot
PlagueBot is an open source Bot written in Pascal.
botnet plaguebot
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\discordnitro\Drop.exe	family_quasar
C:\Users\Admin\AppData\Roaming\discordnitro\Drop.exe	family_quasar
behavioral2/memory/4180-141-0x0000000000690000-0x000000000095A000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe	family_quasar
C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe	family_quasar

PlagueBot Executable 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe	plaguebot

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

winmgr.exeDrop.exewinmgr.exeFileHistory.exewinmgr.exewinmgr.exe

pid process

4144 winmgr.exe
4180 Drop.exe
744 winmgr.exe
3132 FileHistory.exe
1804 winmgr.exe
1144 winmgr.exe

pid	process
4144	winmgr.exe
4180	Drop.exe
744	winmgr.exe
3132	FileHistory.exe
1804	winmgr.exe
1144	winmgr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1096 schtasks.exe
1160 schtasks.exe
3932 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Drop.exeFileHistory.exe

description pid process

Token: SeDebugPrivilege 4180 Drop.exe
Token: SeDebugPrivilege 3132 FileHistory.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

FileHistory.exe

pid process

3132 FileHistory.exe

pid	process
1096	schtasks.exe
1160	schtasks.exe
3932	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	4180	Drop.exe
Token: SeDebugPrivilege	3132	FileHistory.exe

pid	process
3132	FileHistory.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exewinmgr.exeDrop.exeFileHistory.exe

description	pid	process	target process
PID 4844 wrote to memory of 1096	4844	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	schtasks.exe
PID 4844 wrote to memory of 1096	4844	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	schtasks.exe
PID 4844 wrote to memory of 1096	4844	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	schtasks.exe
PID 4844 wrote to memory of 3860	4844	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	schtasks.exe
PID 4844 wrote to memory of 3860	4844	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	schtasks.exe
PID 4844 wrote to memory of 3860	4844	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	schtasks.exe
PID 4844 wrote to memory of 4144	4844	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	winmgr.exe
PID 4844 wrote to memory of 4144	4844	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	winmgr.exe
PID 4844 wrote to memory of 4144	4844	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	winmgr.exe
PID 4144 wrote to memory of 4180	4144	winmgr.exe	Drop.exe
PID 4144 wrote to memory of 4180	4144	winmgr.exe	Drop.exe
PID 4180 wrote to memory of 1160	4180	Drop.exe	schtasks.exe
PID 4180 wrote to memory of 1160	4180	Drop.exe	schtasks.exe
PID 4180 wrote to memory of 3132	4180	Drop.exe	FileHistory.exe
PID 4180 wrote to memory of 3132	4180	Drop.exe	FileHistory.exe
PID 3132 wrote to memory of 3932	3132	FileHistory.exe	schtasks.exe
PID 3132 wrote to memory of 3932	3132	FileHistory.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe
"C:\Users\Admin\AppData\Local\Temp\146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"
2⤵
- Creates scheduled task(s)
PID:1096

C:\Windows\SysWOW64\schtasks.exe
schtasks /Query /FO "LIST" /TN "WinManager"
2⤵
PID:3860

C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
"C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe" /wait
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144

C:\Users\Admin\AppData\Roaming\discordnitro\Drop.exe
Drop.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "FileHistory" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discordnitro\Drop.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1160

C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe
"C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "FileHistory" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3932

C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
1⤵
- Executes dropped EXE
PID:744

C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
1⤵
- Executes dropped EXE
PID:1804

C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
1⤵
- Executes dropped EXE
PID:1144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NewTask.xml
Filesize
1KB

MD5
c7d1a962e11260e1826dcd62b7074d44

SHA1
35b8aec70e9a96f6b4664481da9c1870241bfefa

SHA256
04383e045280090b8ab501376f3bbaf2f81559ddccd534f585b693cb0653c9cb

SHA512
10b2ca7f7808357e0cc18638775aa7454db96f0384117e3cbea1ef6241990262961a4a3f5b42d9d7da7d2c8e704e5a0bb9bc5e9c11a466d27d24ebfb139b4253

Download Submit
C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe
Filesize
2.8MB

MD5
a73e083297e46d8e23f012d66a08f3a3

SHA1
83527df5a484494894ad2c71908a170a115751af

SHA256
0ef4667fb2bd5b2184048913181bd7b03bf63d0e7959214b879efa4d6b75ad5d

SHA512
78c2231eb48ed1f246b960b1afbd2b6b1c9b99495b2a1e8b45ea1aa90a21fbd23fd10223dbc7eba9aa057b5932290e20cdcfe2df583b1a93d2cea2bf350495f2

Download Submit
C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe
Filesize
2.8MB

MD5
a73e083297e46d8e23f012d66a08f3a3

SHA1
83527df5a484494894ad2c71908a170a115751af

SHA256
0ef4667fb2bd5b2184048913181bd7b03bf63d0e7959214b879efa4d6b75ad5d

SHA512
78c2231eb48ed1f246b960b1afbd2b6b1c9b99495b2a1e8b45ea1aa90a21fbd23fd10223dbc7eba9aa057b5932290e20cdcfe2df583b1a93d2cea2bf350495f2

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\Drop.exe
Filesize
2.8MB

MD5
a73e083297e46d8e23f012d66a08f3a3

SHA1
83527df5a484494894ad2c71908a170a115751af

SHA256
0ef4667fb2bd5b2184048913181bd7b03bf63d0e7959214b879efa4d6b75ad5d

SHA512
78c2231eb48ed1f246b960b1afbd2b6b1c9b99495b2a1e8b45ea1aa90a21fbd23fd10223dbc7eba9aa057b5932290e20cdcfe2df583b1a93d2cea2bf350495f2

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\Drop.exe
Filesize
2.8MB

MD5
a73e083297e46d8e23f012d66a08f3a3

SHA1
83527df5a484494894ad2c71908a170a115751af

SHA256
0ef4667fb2bd5b2184048913181bd7b03bf63d0e7959214b879efa4d6b75ad5d

SHA512
78c2231eb48ed1f246b960b1afbd2b6b1c9b99495b2a1e8b45ea1aa90a21fbd23fd10223dbc7eba9aa057b5932290e20cdcfe2df583b1a93d2cea2bf350495f2

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
memory/1096-132-0x0000000000000000-mapping.dmp

Download
memory/1160-144-0x0000000000000000-mapping.dmp

Download
memory/3132-152-0x000000001CCA0000-0x000000001CD52000-memory.dmp

Filesize
712KB

Download
memory/3132-153-0x00007FFE939A0000-0x00007FFE94461000-memory.dmp

Filesize
10.8MB

Download
memory/3132-145-0x0000000000000000-mapping.dmp

Download
memory/3132-149-0x00007FFE939A0000-0x00007FFE94461000-memory.dmp

Filesize
10.8MB

Download
memory/3132-151-0x0000000002940000-0x0000000002990000-memory.dmp

Filesize
320KB

Download
memory/3860-134-0x0000000000000000-mapping.dmp

Download
memory/3932-150-0x0000000000000000-mapping.dmp

Download
memory/4144-135-0x0000000000000000-mapping.dmp

Download
memory/4180-148-0x00007FFE939A0000-0x00007FFE94461000-memory.dmp

Filesize
10.8MB

Download
memory/4180-142-0x00007FFE939A0000-0x00007FFE94461000-memory.dmp

Filesize
10.8MB

Download
memory/4180-141-0x0000000000690000-0x000000000095A000-memory.dmp

Filesize
2.8MB

Download
memory/4180-138-0x0000000000000000-mapping.dmp

Download