Overview

overview

10

Static

static

10

SpyNote_8....SL.exe

windows10-2004-x64

1

SpyNote_8....va.jar

windows10-2004-x64

1

SpyNote_8....sS.exe

windows10-2004-x64

1

SpyNote_8....in.exe

windows10-2004-x64

1

SpyNote_8.....6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SpyNote_8.6.rar

  • Size

    34.9MB

  • Sample

    230113-npep7scc4y

  • MD5

    f7252c8641b3189989fca85eeee82f57

  • SHA1

    5518bd6684d4fb763a89cd2327eff9ff60266d25

  • SHA256

    1329f5e409cf92386843f5d73a5dfe954604bf15763dba212440cec44a9f124c

  • SHA512

    1d52e434a2e5e1dace8027ec8a724e93d44a8c58fc841bc9e833af45bc474dacd94ae1ce40fbcc4e355befc1de67749b6b79348e8428bc16e929cf9f6a0a39c6

  • SSDEEP

    786432:uZZbT7qEvplSQFog9cry66vbDXDChSESmnM8BNvnNgs+KU0z:u7bT7fSY096vDCUERtBN/NgstU0z

Score
10/10
quasarspynotevenomratoffice04evasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

smtp.yassine-bolard.nl:72

82.65.150.176:72
Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    oacDd8MguAxsN1YILaEK

  • install_name

    $77Discord.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Discord_Update

  • subdirectory

    Discord_Updater

Targets

    • Target

      SpyNote_8.6/Resources/Imports/Payload/SL.exe

    • Size

      1.5MB

    • MD5

      2eabc8a774c544e9b6e23ba1b83ed783

    • SHA1

      a880005b4f619e004f4d9adcce2a9612112c26b2

    • SHA256

      0080743a4364b8e5d8ec6a19010ee12dc79fcf815f592db639af262420ada0f8

    • SHA512

      ed8cd1ec97e0954715c81c284bbc2751340a7933511862cda65e72be35fdd9d4a8693066f3023025f92b06c845173c2e5da6f4d88a3e97c62c640643dff475a9

    • SSDEEP

      768:1KSAOfhZXvSzjWKDIp93ZZwpZpTQdBHiF7QHsIMd3uDzZuFs+mk:nrfhZXvSzjWb5wz16S7l9eDzZu7

    Score
    1/10
    behavioral1

    • Target

      SpyNote_8.6/Resources/Imports/PlayerJava/PlayerJava.jar

    • Size

      3KB

    • MD5

      d9c23d7574c0d886321dcd029e463f2c

    • SHA1

      7fad47eb6860a01325c6d526a43d9bbadb66aff7

    • SHA256

      e22d8a06415f21b900a9a079a6a7928d6c84d2cf33aa07c6ad385dfbbfcd55ed

    • SHA512

      c32c019fb0bacbd70441cf3ed769bfde9597389f840ff8511db36586756382ef22bd163a7b7cb9e258a4b7a896e5d1a606d92513a141cb2e3c6e421a66ecb316

    Score
    1/10
    behavioral2

    • Target

      SpyNote_8.6/Resources/Imports/T/sS.exe

    • Size

      20KB

    • MD5

      fcc080409bf077b1c85f159218e62dbf

    • SHA1

      616e64d4ca2286d4f4b11df583fa2b9ba81c6e78

    • SHA256

      e3865e0d3f776a6827f4ddb640cc66c56ede8826a1f29383e3578b85caf248ef

    • SHA512

      14d7ceac1730faadfe10ff573ed825f8e449c7ae879892d09d832b67d68a128c07ef94c675a5221edde82e7b73fd1b852ddbda7894e554cce98fa1625fb00eb6

    • SSDEEP

      384:3AOcHfvbeLb7i4yimcx5GLD9WLEO2a0R7RknlcDqfJ:3AO+fDen7i4fmFrRFknGDy

    Score
    1/10
    behavioral3

    • Target

      SpyNote_8.6/Resources/Imports/platform-tools/plwin.exe

    • Size

      25KB

    • MD5

      9aadaec3eccf406b2591e32c438a67a4

    • SHA1

      fb971b1687400fcedf5ac4a36f45ead3b54d14e3

    • SHA256

      268fa687554273029bf87668367b4084d4928de6b2a4cf4fbcd52e944d0efe16

    • SHA512

      cba31ace6459a83dca18a486fc7a06da50419442d92e25e2661fdc101542b49ae3778fe197b6409396b7093747c67316917760de8576d351cd37e51e3dda9d3d

    • SSDEEP

      768:Q3ULAwpnEUaSCMc/o6/d5cfsEAIHtYcFmVc6K:eULAwcSCMcdWfsQfmVcl

    Score
    1/10
    behavioral4

    • Target

      SpyNote_8.6/SpyNote_8.6.exe

    • Size

      20.6MB

    • MD5

      a85a3487b761469b8d2e412331d8d1c7

    • SHA1

      7ee2a306d942b37baad5943a42ae40c673376161

    • SHA256

      719d66cf2ffd53ffc2db32097433bf9bdc169d67e4d03474a5bd0c3bdf68f37d

    • SHA512

      35af4f14d101f0bd01fbf87363cc03216a1258bcfdb33c5886d430b7fa7fd53c11729955128e516660306c0f15674144b347ad434b2682792e91d8812be4fac7

    • SSDEEP

      393216:BnSbLcYDnp2+qKRLaS1GB6jMI/0s7bynxYnMHcBNvUqvvDY4g3X9w+ijU0UkL2Y:DYTpD7LaS1GVI8xmnM8BNvnNg6+KU0L

    Score
    10/10
    quasarvenomratoffice04evasionratrootkitspywarestealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

      ratrootkitstealervenomrat

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral5

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

2
T1089

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks