General

  • Target

    BitcoinFakeTransaction(1).zip

  • Size

    1.8MB

  • Sample

    230121-veh37sfa2x

  • MD5

    90f7d627c081ba7a8d9269ef12a0d40f

  • SHA1

    89923e6d770a228cf9ec197ce4c530b4ebb195fd

  • SHA256

    ed097795acee8f6fce5f80e71d2ed3cf6e27cbb3203673b6c1fc034bd3cee538

  • SHA512

    4aaa337ef98f1a84431f416532c18536b90e9040f2ae2447c54a07a7a0d5406483b90c020c4d1325d7e3f48affac5469916a39d3c08025353b3341c7327c631b

  • SSDEEP

    49152:Xq//LgmgdJjarYXwFZvQsFhww6pIYclZusmLh7yY0tm:6Lpg7jlwvLFRktctoByxk

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows securityy

C2

192.253.245.243:7812

Mutex

VNM_MUTEX_Lwt9GYx0ZlES09069Z

Attributes
  • encryption_key

    AhFntNS40ejah7Nv2cWL

  • install_name

    Window Security Health Service.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    window update

  • subdirectory

    windows Service32

Targets

    • Target

      BitcoinFakeTransaction(1).zip

    • Size

      1.8MB

    • MD5

      90f7d627c081ba7a8d9269ef12a0d40f

    • SHA1

      89923e6d770a228cf9ec197ce4c530b4ebb195fd

    • SHA256

      ed097795acee8f6fce5f80e71d2ed3cf6e27cbb3203673b6c1fc034bd3cee538

    • SHA512

      4aaa337ef98f1a84431f416532c18536b90e9040f2ae2447c54a07a7a0d5406483b90c020c4d1325d7e3f48affac5469916a39d3c08025353b3341c7327c631b

    • SSDEEP

      49152:Xq//LgmgdJjarYXwFZvQsFhww6pIYclZusmLh7yY0tm:6Lpg7jlwvLFRktctoByxk

    Score
    1/10
    • Target

      BitcoinFakeTransaction/BitcoinFakeTransaction.exe

    • Size

      997KB

    • MD5

      4fe10e794eb25820b63890cfa0abca42

    • SHA1

      321ecd39644a864a47cc3d431be53c8035acf59f

    • SHA256

      5cc80ef8d5cd9c1fffb5660dd739177ae9043cc13a022a8e8e2c696fa5fcf59e

    • SHA512

      728e83d4782347f8959c528579e504ec38fb8c5c18ebacceb106c46d5462ed731a685be3db0450d0dc5eb08f3f9ead13d5080ce244408e3d371e760dd159d70e

    • SSDEEP

      12288:1UTyp3ZXSXsy8p4pymXXOZ4z2im3eyOYZ/w4FGVIa9A30xT5uUPDP:1UTSo/Bpu4qim3nZ/wB9+wT5fP

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      BitcoinFakeTransaction/ffmpeg.dll

    • Size

      2.2MB

    • MD5

      a8ef18a42f931ec927ada9d28c3c845e

    • SHA1

      45e3853ba2aa4912ec74e0c51684503d645bb882

    • SHA256

      5b9beea0c42bf17e00fc854434d73452087b7fed323a8f035478b284670fcdae

    • SHA512

      398ae8eb426275984b10698a1bd3992a17f73aeaeb99f9c0adc3db3ee396e864d50e3307a5e9b5f1987dca331505fd49ece0f173877ea6ffd942b2cba8e36d73

    • SSDEEP

      49152:gspMRI28259LtbjsjdbVmofrZq/zPhmFyuPAfL1s2OwGNbHRtL2:g4b2aux6LNbHD2

    Score
    1/10
    • Target

      BitcoinFakeTransaction/libEGL.dll

    • Size

      370KB

    • MD5

      31611ee5ec79234e559d8ef4a045b31f

    • SHA1

      2e0b682433fa3c5ee88a55a4b1e0cdeaf72a1efc

    • SHA256

      316b25ddca2c1035e8f599041480659374caf2b3fc8e3e4a3a8434024bd496e7

    • SHA512

      a1df2246af7f0f6e2cefc39174be870f23139b87b14b658cd6f267eacdd6936ff4f4ac6bd1071ca7bb2c4395db920dbd718812b1c524c0ac3bdef760833bde43

    • SSDEEP

      6144:pj0Aq7pjRaVlgZrNJserEW848VvGy1+Gew8YUo/9Jctrp2:pj0F7p4lgZZJsmbk+Gew8cM2

    Score
    3/10

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

2
T1089

Install Root Certificate

1
T1130

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Tasks