Analysis
-
max time kernel
30s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
13-01-2023 11:42
General
-
Target
BitRat Cracked.exe
-
Size
28.7MB
-
MD5
cf7429f7c62ad8bd2e3badc42befbb3a
-
SHA1
c93f97d3db5e3ee06611ca4b4e037d024098e94f
-
SHA256
a52e2fd8be23a1efd9eb4d0b165f30a089c129a790c9d4b65acef032fbd44c8e
-
SHA512
5cc5ed688d3a83087f59141adf32d8e37678e483170bdfdced8bc7d287e4b8a521d526265068d7c423f5582522e315283cece5e32480b4d8c5dabf506609f565
-
SSDEEP
393216:6oirBgdxc1lGOHYae79hLhq3QXCjHnLAusN/IaXwQVL9YbE0kmCGJ6GLR5YjIn4S:H/TOHCHtq3QXCT4t79YbE0RJPOxtH5O
Malware Config
Extracted
quasar
2.1.0.0
Office04
smtp.yassine-bolard.nl:72
82.65.150.176:72
VNM_MUTEX_c2q7y2ayYutZ2XaYe7
-
encryption_key
oacDd8MguAxsN1YILaEK
-
install_name
$77Discord.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Discord_Update
-
subdirectory
Discord_Updater
Signatures
-
Contains code to disable Windows Defender 5 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 5 IoCs
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Nirsoft 5 IoCs
-
Executes dropped EXE 10 IoCs
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 5 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 59 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BitRat Cracked.exe"C:\Users\Admin\AppData\Local\Temp\BitRat Cracked.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows_Update\Discord.exe"C:\Program Files\Windows_Update\Discord.exe" -pKazutoSan72@$%2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows_Security\Discord.exe"C:\Program Files\Windows_Security\Discord.exe" -pKazutoSan72@$%?:YB3813⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows_Security\AdvancedRun.exe"C:\Program Files\Windows_Security\AdvancedRun.exe" /EXEFilename Test.bat /RunAs 8 /Run4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows_Security\AdvancedRun.exe"C:\Program Files\Windows_Security\AdvancedRun.exe" /SpecialRun 14001f2b0 9645⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files\Windows_Security\AdvancedRun.exe"C:\Program Files\Windows_Security\AdvancedRun.exe" /EXEFilename Test.bat /RunAs 8 /Run4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows_Security\AdvancedRun.exe"C:\Program Files\Windows_Security\AdvancedRun.exe" /SpecialRun 14001f2b0 45365⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Program Files\Windows_Security\Discord1.exe"C:\Program Files\Windows_Security\Discord1.exe" -pKazutoSan72@$%?:YB3813⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows_Apps\$77-Venom72.exe"C:\Program Files\Windows_Apps\$77-Venom72.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Discord_Update" /sc ONLOGON /tr "C:\Program Files\Windows_Apps\$77-Venom72.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe"C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Discord_Update" /sc ONLOGON /tr "C:\Windows\SysWOW64\Discord_Updater\$77Discord.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOjZW2EA00sg.bat" "5⤵
-
-
-
-
-
C:\Program Files\Windows_Update\BitRAT_fix-cleaned.exe"C:\Program Files\Windows_Update\BitRAT_fix-cleaned.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
576KB
MD580495befd515f6af32389c1cfb3e8c5b
SHA129ec599e91edffe758d0613540fa02da686f1746
SHA256775157d95dba8027eb71f061d11f805dae23b5bbd25ceb0edb7f0d3782f4e07b
SHA512bbbf4ba7c8a6b004ccda8924cea0e59504cdf43816961c5441bbc7fc3c3c22f805d8341eed22f13bdecbf2ad5f1ffe73f626d21a6035cac832c3e9427fa6745f
-
Filesize
576KB
MD580495befd515f6af32389c1cfb3e8c5b
SHA129ec599e91edffe758d0613540fa02da686f1746
SHA256775157d95dba8027eb71f061d11f805dae23b5bbd25ceb0edb7f0d3782f4e07b
SHA512bbbf4ba7c8a6b004ccda8924cea0e59504cdf43816961c5441bbc7fc3c3c22f805d8341eed22f13bdecbf2ad5f1ffe73f626d21a6035cac832c3e9427fa6745f
-
Filesize
148KB
MD5fd048f729a521a51273897c937b0a132
SHA13ba5137721c135fe125f9667c45b01b9728d21ed
SHA25671750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4
SHA5129a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec
-
Filesize
148KB
MD5fd048f729a521a51273897c937b0a132
SHA13ba5137721c135fe125f9667c45b01b9728d21ed
SHA25671750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4
SHA5129a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec
-
Filesize
148KB
MD5fd048f729a521a51273897c937b0a132
SHA13ba5137721c135fe125f9667c45b01b9728d21ed
SHA25671750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4
SHA5129a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec
-
Filesize
148KB
MD5fd048f729a521a51273897c937b0a132
SHA13ba5137721c135fe125f9667c45b01b9728d21ed
SHA25671750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4
SHA5129a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec
-
Filesize
148KB
MD5fd048f729a521a51273897c937b0a132
SHA13ba5137721c135fe125f9667c45b01b9728d21ed
SHA25671750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4
SHA5129a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec
-
Filesize
339KB
MD57982a3c8d157fab1222054474d772332
SHA1f134d7ce11e37e30e07a73f0d8c7bc0a87c04492
SHA2567dc4ae41a5820fbdfc912cd1ef586f7ad80e77ca0b4f6c364255cfb01dac648c
SHA512182bd93ebd698850bd112779f4e06f1b561edbdcb6243d5df5112fedb95a267f47a548d3b9e0fde7ae3ed1fbdb72881405757b7ea7326810d42ea78123562d97
-
Filesize
339KB
MD57982a3c8d157fab1222054474d772332
SHA1f134d7ce11e37e30e07a73f0d8c7bc0a87c04492
SHA2567dc4ae41a5820fbdfc912cd1ef586f7ad80e77ca0b4f6c364255cfb01dac648c
SHA512182bd93ebd698850bd112779f4e06f1b561edbdcb6243d5df5112fedb95a267f47a548d3b9e0fde7ae3ed1fbdb72881405757b7ea7326810d42ea78123562d97
-
Filesize
541KB
MD5dead320a00168f6625dd7be9b6b70e20
SHA151624ff21ffaf610c8655826ca17ea833fa611f7
SHA2561d5053b75e4199446b32a86f358928669397c5fb2cf17049e1e9241cb1b1b7c5
SHA512713f32bce99fbf09164a53e18506ae260c5ac12efea5420eb81510ebb27309e8f7cbdc4e001c8b28de1cb83c51f0014458cb060c64dcc0fd1a5b2a29d8455218
-
Filesize
541KB
MD5dead320a00168f6625dd7be9b6b70e20
SHA151624ff21ffaf610c8655826ca17ea833fa611f7
SHA2561d5053b75e4199446b32a86f358928669397c5fb2cf17049e1e9241cb1b1b7c5
SHA512713f32bce99fbf09164a53e18506ae260c5ac12efea5420eb81510ebb27309e8f7cbdc4e001c8b28de1cb83c51f0014458cb060c64dcc0fd1a5b2a29d8455218
-
Filesize
38.2MB
MD584a1766670e0410a9127c4f531113bf7
SHA13c5d8a37800719cac558f20b2d29894b4660bd0f
SHA2569a727321f210af2a38a8c9ab4502b3bb87969177b20f5c06801c231831095bd6
SHA512bed63e75ea52eb0d87b07465bc114be47681ea2fff4fcfb8d76f89d6e1f6980aa9f05cfbc79a3df19cfb0ef19cd98f876d456fc25e9e17f3e3c6b7b746df166d
-
Filesize
38.2MB
MD584a1766670e0410a9127c4f531113bf7
SHA13c5d8a37800719cac558f20b2d29894b4660bd0f
SHA2569a727321f210af2a38a8c9ab4502b3bb87969177b20f5c06801c231831095bd6
SHA512bed63e75ea52eb0d87b07465bc114be47681ea2fff4fcfb8d76f89d6e1f6980aa9f05cfbc79a3df19cfb0ef19cd98f876d456fc25e9e17f3e3c6b7b746df166d
-
Filesize
790KB
MD5ffbf8505009dcfee149e8a8c240ef82f
SHA1f07334436f15956c5078a5cfeb9a4305819e220d
SHA256308a6e24a3eeb14fdd7038566460b55db3bfe81ede2721a0128f1e142aeb41cb
SHA512307eac44f3c052603aa1126a24986ac3bc2cccde81379d229ed29a23f1936a917942a4967b07c266b7b6ec546e31707dad0a94f5adddac0707453927f4f8a8d8
-
Filesize
790KB
MD5ffbf8505009dcfee149e8a8c240ef82f
SHA1f07334436f15956c5078a5cfeb9a4305819e220d
SHA256308a6e24a3eeb14fdd7038566460b55db3bfe81ede2721a0128f1e142aeb41cb
SHA512307eac44f3c052603aa1126a24986ac3bc2cccde81379d229ed29a23f1936a917942a4967b07c266b7b6ec546e31707dad0a94f5adddac0707453927f4f8a8d8
-
Filesize
434KB
MD5b490bb6c6bbb4af7c43c15071c0e5034
SHA1828a03191d6df0d17975007f6bef8c56e371069d
SHA2560b94b3824761723400dc0357e7d490085a5ccf3415e332155c5b8d6c7bfb8788
SHA51227c60b0c7e85d22249332aeaf5fe1f0d6083e8f68cc461e4e97e3a394e108601378fd2bc7ec39c1fc2dc8338db87f5555511337e95921d63ab9ff7d5d18056a6
-
Filesize
1.0MB
MD560ac512e63a6b95eb37cfd530a01b94e
SHA14b5a1fa50008439ac074d732447ab9032a157114
SHA2569f3e7ea22d052fee0e5be8cd904ac4425f3840df7452c760d5cc5357830c394e
SHA512a6cbf2f1f6eedcb142aeca7218334dd16058b9f643e51cee4771e1a0f7124676361deac0c48d61468296e88035e4dd49b55fd139b80ece54c86c0338bdedd681
-
Filesize
4.3MB
MD5ec5d2e878ad0432b246901e0e41e9f25
SHA1b6032f95b0fc77a682628365cbbe7f1f3392e744
SHA256a249008a635defa206f4568dcaae7c598e4dcf605bcace5117a407a8ac23da96
SHA5120fe13c6cdf6f38db58340f4a0e1cbc8d069ba58df9d49fd9c6039a41cfb8ddd4c987f192de6dc9d776f5898cb891c89b2aac137505b18728579c592c23a34f78
-
Filesize
67KB
MD54d9943a0adc1a3bd1472bdbab649a436
SHA1f0f36e014a71e21e629cabaa835f39a4e775e092
SHA25687dd71ac71bca50d9f1179215bbc4a25783c6a959def5c1850683eb41f6b0322
SHA51221766452cd53a2344c321b042984a08bcb46dac5e2b06dcd25f1a740e4018cb0f90d39b95414febd76d4c1447efc0dcae6dfa1ee176fdfab654a4efd2e705492
-
Filesize
67KB
MD54d9943a0adc1a3bd1472bdbab649a436
SHA1f0f36e014a71e21e629cabaa835f39a4e775e092
SHA25687dd71ac71bca50d9f1179215bbc4a25783c6a959def5c1850683eb41f6b0322
SHA51221766452cd53a2344c321b042984a08bcb46dac5e2b06dcd25f1a740e4018cb0f90d39b95414febd76d4c1447efc0dcae6dfa1ee176fdfab654a4efd2e705492
-
Filesize
67KB
MD54d9943a0adc1a3bd1472bdbab649a436
SHA1f0f36e014a71e21e629cabaa835f39a4e775e092
SHA25687dd71ac71bca50d9f1179215bbc4a25783c6a959def5c1850683eb41f6b0322
SHA51221766452cd53a2344c321b042984a08bcb46dac5e2b06dcd25f1a740e4018cb0f90d39b95414febd76d4c1447efc0dcae6dfa1ee176fdfab654a4efd2e705492
-
Filesize
67KB
MD54d9943a0adc1a3bd1472bdbab649a436
SHA1f0f36e014a71e21e629cabaa835f39a4e775e092
SHA25687dd71ac71bca50d9f1179215bbc4a25783c6a959def5c1850683eb41f6b0322
SHA51221766452cd53a2344c321b042984a08bcb46dac5e2b06dcd25f1a740e4018cb0f90d39b95414febd76d4c1447efc0dcae6dfa1ee176fdfab654a4efd2e705492
-
Filesize
204B
MD5893393a81cff7ab7c361d71ba896185c
SHA1c993c1700c1be05f4154884c8a156878e775989a
SHA256dc85c52222e49b2c09de56469686fa497f99a3b22c1b379d8e2fa4c9821e6881
SHA512217cf1c501b53fd3ad5c7fe0b0178dcf959b6bca0c9b929f9194f347e70726e9c645c0c263fbd1330f8f2e8ee044caebf6ab2b4f5389042d7ccccd0ae8a62bca
-
Filesize
576KB
MD580495befd515f6af32389c1cfb3e8c5b
SHA129ec599e91edffe758d0613540fa02da686f1746
SHA256775157d95dba8027eb71f061d11f805dae23b5bbd25ceb0edb7f0d3782f4e07b
SHA512bbbf4ba7c8a6b004ccda8924cea0e59504cdf43816961c5441bbc7fc3c3c22f805d8341eed22f13bdecbf2ad5f1ffe73f626d21a6035cac832c3e9427fa6745f
-
Filesize
576KB
MD580495befd515f6af32389c1cfb3e8c5b
SHA129ec599e91edffe758d0613540fa02da686f1746
SHA256775157d95dba8027eb71f061d11f805dae23b5bbd25ceb0edb7f0d3782f4e07b
SHA512bbbf4ba7c8a6b004ccda8924cea0e59504cdf43816961c5441bbc7fc3c3c22f805d8341eed22f13bdecbf2ad5f1ffe73f626d21a6035cac832c3e9427fa6745f
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
4.3MB
-
Filesize
10.8MB
-
Filesize
38.2MB
-
Filesize
1.1MB
-
Filesize
464KB
-
Filesize
600KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
600KB
-
Filesize
56KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
216KB