Overview

overview

10

Static

static

3HkvftGZK9KZ.exe

windows7-x64

10

3HkvftGZK9KZ.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3HkvftGZK9KZ.exe

  • Size

    1.3MB

  • Sample

    221011-l798qahef9

  • MD5

    6ef27bb17948bf2cd5f17d32506ab25f

  • SHA1

    1cace02f54cb1696be68e2ee291e26c051293a51

  • SHA256

    4a412162a0b00623211b7303bc18b00b76d196ea8343a2c35abc262e9e97c9b2

  • SHA512

    38d33e4f1d445ddbb5a45be34f369e60b22f5c29733e3acec9b156851e8494cd5845d22b2c71794b51c2ae73a890685f35dc1738c0e706f8b93c2272545885de

  • SSDEEP

    24576:0KWHORcD/gtB49yDx553XTWcdjrFY5des+Lpq1qe9UdaRkss0:MHMRBO4TxXTLtLpqjOd+kss

Score
10/10
limeratquasaroffice04persistenceratspywarestealertrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

173.225.115.99:7702

Mutex

ecce8627-6b34-425d-8f0e-3a8923c66220

Attributes
  • encryption_key

    F04A75E6507173FAEEC2BB82C564030A5E8413FF

  • install_name

    ser.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    quar

Extracted

Family

limerat

Attributes
  • aes_key

    082808

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/Mh8T0LJe

  • delay

    6

  • download_payload

    false

  • install

    true

  • install_name

    limo.exe

  • main_folder

    Temp

  • payload_url

    https://mdl.arabou.edu.kw/ksa/user/profile/field/text/lang/en/VB64.exe

  • pin_spread

    true

  • sub_folder

    \Windows\

  • usb_spread

    true

Targets

    • Target

      3HkvftGZK9KZ.exe

    • Size

      1.3MB

    • MD5

      6ef27bb17948bf2cd5f17d32506ab25f

    • SHA1

      1cace02f54cb1696be68e2ee291e26c051293a51

    • SHA256

      4a412162a0b00623211b7303bc18b00b76d196ea8343a2c35abc262e9e97c9b2

    • SHA512

      38d33e4f1d445ddbb5a45be34f369e60b22f5c29733e3acec9b156851e8494cd5845d22b2c71794b51c2ae73a890685f35dc1738c0e706f8b93c2272545885de

    • SSDEEP

      24576:0KWHORcD/gtB49yDx553XTWcdjrFY5des+Lpq1qe9UdaRkss0:MHMRBO4TxXTLtLpqjOd+kss

    Score
    10/10
    quasaroffice04spywaretrojanlimeratpersistenceratstealer

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks