Analysis
-
max time kernel
154s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
29-01-2023 19:45
General
-
Target
2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe
-
Size
9.8MB
-
MD5
fd86b6c98d65c9d38322424386034c81
-
SHA1
9c548ab70e4d4f18e92b5cdd62c909c58f5e9b66
-
SHA256
2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad
-
SHA512
6eed4fdb7b3c5896ffa93a20671e36068258425e2ac29edcedfd2638a2ea7a16b302ac8e91a91ef3061355ea1c0e154976476d1ea9d15409fe830cebf31a2f12
-
SSDEEP
196608:6C86m9+NO3mj55jt28jBDpOGce1rjUhz+XshT3olw39xPis5BskMoiE:6C86SMO3iDhBU5hT3o239xqo
Malware Config
Extracted
quasar
2.6.0.0
defender
20.82.128.5:4444
HkuL6QRMZaTdYNlEJY
-
encryption_key
auS4Dqyt2zp1gKolism7
-
install_name
Venom.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
-
subdirectory
C:\Users\neilish\Desktop\rat
Extracted
njrat
v2.0
HacKed
20.199.40.163:4444
Launcher
-
reg_key
Launcher
-
splitter
|-F-|
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 7 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 5 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe"C:\Users\Admin\AppData\Local\Temp\2c0104fcca2ac01baf9d38f9b87f00205c15904b5e63f625fadd82ba293c50ad.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\proton_nutsed.exe"C:\Users\Admin\AppData\Roaming\proton_nutsed.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\proton_nutsed.exe"C:\Users\Admin\AppData\Roaming\proton_nutsed.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\neilish\Desktop\rat\Venom.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\launcher.exe"C:\Users\Admin\AppData\Roaming\launcher.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FiveM_Launcher.exe"C:\Users\Admin\AppData\Local\Temp\FiveM_Launcher.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\build.exe"C:\Users\Admin\AppData\Roaming\build.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Lancher.exe"C:\Users\Admin\AppData\Roaming\Lancher.exe"5⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launcher.exe"6⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Launcher.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Lancher.exe"5⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\proton_nutsed.exe.logFilesize
410B
MD53bbb825ef1319deb378787046587112b
SHA167da95f0031be525b4cf10645632ca34d66b913b
SHA256d9c6d00fad02f7a9ef0fcddc298ffd58b17020fb12b1336d5733237cbfadb1e0
SHA5127771ae543e188d544e1bb6c65e0453a6777c1c39790a355f4cce652a815bfaf94dd426de3db910a67bd06e463ac0143d9e2ca44d2b12af7f0d84c27b4a09cc54
-
C:\Users\Admin\AppData\Local\Temp\FiveM_Launcher.exeFilesize
4.1MB
MD5d97d05bc66dd1f32b058efe158a8a0d7
SHA1249f438bb523fa16535c5e136aced415ac9f500c
SHA2566714c9c4d30e77ec4d73efaa3e599c2021ef5ada3806a0c2ffa660af147de4fd
SHA512dc1775f16efeb82fb46212697987090d10bc965ef695481640b41956620b30905d6e2e56738696c36a30163bd8e47d5311a3b496702cc9b2ab4a286fb0209ae1
-
C:\Users\Admin\AppData\Local\Temp\FiveM_Launcher.exeFilesize
4.1MB
MD5d97d05bc66dd1f32b058efe158a8a0d7
SHA1249f438bb523fa16535c5e136aced415ac9f500c
SHA2566714c9c4d30e77ec4d73efaa3e599c2021ef5ada3806a0c2ffa660af147de4fd
SHA512dc1775f16efeb82fb46212697987090d10bc965ef695481640b41956620b30905d6e2e56738696c36a30163bd8e47d5311a3b496702cc9b2ab4a286fb0209ae1
-
C:\Users\Admin\AppData\Local\Temp\launcher.exeFilesize
115KB
MD592e7b3f8c98bf7e5364895375f1f21e0
SHA19bcdde5a659124a7eb104806164cba6a401a2cca
SHA256f53dc81b434a31269a56a9493c9b3709293dc10d91acdc9eb081700152b52f1a
SHA512d2d5ce098cc683cbf3c3af854ca790a1730d1723b72a3aec309f25266b92ac9806c5ad11c27119f9af9a17490d68dd312f831339a54eadb2152b916f4513a129
-
C:\Users\Admin\AppData\Local\Temp\launcher.exeFilesize
115KB
MD592e7b3f8c98bf7e5364895375f1f21e0
SHA19bcdde5a659124a7eb104806164cba6a401a2cca
SHA256f53dc81b434a31269a56a9493c9b3709293dc10d91acdc9eb081700152b52f1a
SHA512d2d5ce098cc683cbf3c3af854ca790a1730d1723b72a3aec309f25266b92ac9806c5ad11c27119f9af9a17490d68dd312f831339a54eadb2152b916f4513a129
-
C:\Users\Admin\AppData\Roaming\Lancher.exeFilesize
27KB
MD5c487633021a7d70b1d5be2a7879d018b
SHA1b55e4bf976626745ccde46a5c0c3f9b9f9f8bfe0
SHA25684df966c4027d481e42c348d20e163d15b2a36f7c46d872b524ea61cddeb36b1
SHA512d8a997c3f3d5215e29ab37b67c8bfedda62ec4b0c7e8889ba7f771a0cf4aa85160c4854ce72671c2e870341bcc5010c1ef372396065355b80a4e94a4f766b1de
-
C:\Users\Admin\AppData\Roaming\Lancher.exeFilesize
27KB
MD5c487633021a7d70b1d5be2a7879d018b
SHA1b55e4bf976626745ccde46a5c0c3f9b9f9f8bfe0
SHA25684df966c4027d481e42c348d20e163d15b2a36f7c46d872b524ea61cddeb36b1
SHA512d8a997c3f3d5215e29ab37b67c8bfedda62ec4b0c7e8889ba7f771a0cf4aa85160c4854ce72671c2e870341bcc5010c1ef372396065355b80a4e94a4f766b1de
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launcher.exeFilesize
27KB
MD5c487633021a7d70b1d5be2a7879d018b
SHA1b55e4bf976626745ccde46a5c0c3f9b9f9f8bfe0
SHA25684df966c4027d481e42c348d20e163d15b2a36f7c46d872b524ea61cddeb36b1
SHA512d8a997c3f3d5215e29ab37b67c8bfedda62ec4b0c7e8889ba7f771a0cf4aa85160c4854ce72671c2e870341bcc5010c1ef372396065355b80a4e94a4f766b1de
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launcher.lnkFilesize
1KB
MD5b274fc189392b6f46e3e0dfb51350f21
SHA1ffdf514e6ffd7c7bca7d06da8c7ca40723b2c151
SHA2560fc3e9b627323dc5eb9aba3c729052f4137e425595f045fb60a8c8817dd34af5
SHA51233071b6652bd291cfee9e4bb777afc271360e82b2d473bf1d1951a95dc692db68d5c7c72c6d70b6bbf07bea816d4b433694583d21aad1b6e8ae6cd20555f9152
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Launcher.lnkFilesize
1KB
MD52ebb9c81fec38b8a9c0c60315377dd93
SHA136aff15f7a61c43d00f33a08ed9e46f194aa139d
SHA256484c58549db044a4d37e2b1c2601440051208ac45cd1453ca33268f5a80db6db
SHA512478300e810193d4495ff3d626394bcca1e542430aa4e79573d8e2b9ec47e8951b068b0317aaeb4ac7d4afc8b744a4d8808e15cce74b5dfd13fad13ad0a777055
-
C:\Users\Admin\AppData\Roaming\build.exeFilesize
27KB
MD5c487633021a7d70b1d5be2a7879d018b
SHA1b55e4bf976626745ccde46a5c0c3f9b9f9f8bfe0
SHA25684df966c4027d481e42c348d20e163d15b2a36f7c46d872b524ea61cddeb36b1
SHA512d8a997c3f3d5215e29ab37b67c8bfedda62ec4b0c7e8889ba7f771a0cf4aa85160c4854ce72671c2e870341bcc5010c1ef372396065355b80a4e94a4f766b1de
-
C:\Users\Admin\AppData\Roaming\build.exeFilesize
27KB
MD5c487633021a7d70b1d5be2a7879d018b
SHA1b55e4bf976626745ccde46a5c0c3f9b9f9f8bfe0
SHA25684df966c4027d481e42c348d20e163d15b2a36f7c46d872b524ea61cddeb36b1
SHA512d8a997c3f3d5215e29ab37b67c8bfedda62ec4b0c7e8889ba7f771a0cf4aa85160c4854ce72671c2e870341bcc5010c1ef372396065355b80a4e94a4f766b1de
-
C:\Users\Admin\AppData\Roaming\launcher.exeFilesize
7.5MB
MD5cda766c0b83e282f69aaa18f3684b4c2
SHA1bf7acb1048f02d3cb0738827d2ad326c99b92bde
SHA256a793fe6608b572bc6052e1e4a77bbdf607a38b5194ae9e1bc1abecdb3e61dfb4
SHA5121d5971172f54bddb35c8f98e0b7ac3d0f0e49e4a2272b732dfed2bbfa9e440d6a58af0c2b2b7553946cf6540c6df22884476e6bfb159dd12cddff249c70f0ed6
-
C:\Users\Admin\AppData\Roaming\launcher.exeFilesize
7.5MB
MD5cda766c0b83e282f69aaa18f3684b4c2
SHA1bf7acb1048f02d3cb0738827d2ad326c99b92bde
SHA256a793fe6608b572bc6052e1e4a77bbdf607a38b5194ae9e1bc1abecdb3e61dfb4
SHA5121d5971172f54bddb35c8f98e0b7ac3d0f0e49e4a2272b732dfed2bbfa9e440d6a58af0c2b2b7553946cf6540c6df22884476e6bfb159dd12cddff249c70f0ed6
-
C:\Users\Admin\AppData\Roaming\proton_nutsed.exeFilesize
3.8MB
MD5b0ea73cc98e5b248955ae7bac0f9d031
SHA118e03a76d01d7f8b423cabb42134f8149732cdea
SHA256c2ea4b1081b9d58f43bf9f695044782b10fd4884bf90ad9ca068a181fb578f64
SHA5125794fcbee980e3e865ce0547819d55e3ec3dfcbdf5239fc0642a4c6519ac072d4193f846506e6b8f810fe3feeea9bd0861716981cebd4868949184d9d520e83f
-
C:\Users\Admin\AppData\Roaming\proton_nutsed.exeFilesize
3.8MB
MD5b0ea73cc98e5b248955ae7bac0f9d031
SHA118e03a76d01d7f8b423cabb42134f8149732cdea
SHA256c2ea4b1081b9d58f43bf9f695044782b10fd4884bf90ad9ca068a181fb578f64
SHA5125794fcbee980e3e865ce0547819d55e3ec3dfcbdf5239fc0642a4c6519ac072d4193f846506e6b8f810fe3feeea9bd0861716981cebd4868949184d9d520e83f
-
C:\Users\Admin\AppData\Roaming\proton_nutsed.exeFilesize
3.8MB
MD5b0ea73cc98e5b248955ae7bac0f9d031
SHA118e03a76d01d7f8b423cabb42134f8149732cdea
SHA256c2ea4b1081b9d58f43bf9f695044782b10fd4884bf90ad9ca068a181fb578f64
SHA5125794fcbee980e3e865ce0547819d55e3ec3dfcbdf5239fc0642a4c6519ac072d4193f846506e6b8f810fe3feeea9bd0861716981cebd4868949184d9d520e83f
-
memory/932-144-0x0000000004F60000-0x0000000004FF2000-memory.dmpFilesize
584KB
-
memory/932-143-0x00000000055D0000-0x0000000005B74000-memory.dmpFilesize
5.6MB
-
memory/932-140-0x00000000001E0000-0x00000000005A8000-memory.dmpFilesize
3.8MB
-
memory/932-133-0x0000000000000000-mapping.dmp
-
memory/1116-176-0x0000000070360000-0x0000000070911000-memory.dmpFilesize
5.7MB
-
memory/1116-180-0x0000000070360000-0x0000000070911000-memory.dmpFilesize
5.7MB
-
memory/1116-169-0x0000000000000000-mapping.dmp
-
memory/1200-139-0x0000000075470000-0x0000000075A21000-memory.dmpFilesize
5.7MB
-
memory/1200-132-0x0000000075470000-0x0000000075A21000-memory.dmpFilesize
5.7MB
-
memory/1292-172-0x0000000000000000-mapping.dmp
-
memory/1820-156-0x0000000000810000-0x0000000000834000-memory.dmpFilesize
144KB
-
memory/1820-152-0x0000000000000000-mapping.dmp
-
memory/1820-158-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmpFilesize
10.8MB
-
memory/1820-166-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmpFilesize
10.8MB
-
memory/2164-162-0x0000000000000000-mapping.dmp
-
memory/2164-168-0x0000000070360000-0x0000000070911000-memory.dmpFilesize
5.7MB
-
memory/2164-175-0x0000000070360000-0x0000000070911000-memory.dmpFilesize
5.7MB
-
memory/3644-136-0x0000000000000000-mapping.dmp
-
memory/3644-141-0x0000000000B50000-0x00000000012CE000-memory.dmpFilesize
7.5MB
-
memory/3644-142-0x0000000005B90000-0x0000000005C2C000-memory.dmpFilesize
624KB
-
memory/4616-178-0x0000000000000000-mapping.dmp
-
memory/4692-155-0x00000000004C0000-0x00000000008DE000-memory.dmpFilesize
4.1MB
-
memory/4692-160-0x00000000053F0000-0x0000000005446000-memory.dmpFilesize
344KB
-
memory/4692-149-0x0000000000000000-mapping.dmp
-
memory/4692-159-0x00000000051F0000-0x00000000051FA000-memory.dmpFilesize
40KB
-
memory/4960-146-0x0000000000400000-0x00000000007C2000-memory.dmpFilesize
3.8MB
-
memory/4960-145-0x0000000000000000-mapping.dmp
-
memory/4960-157-0x0000000005BC0000-0x0000000005C26000-memory.dmpFilesize
408KB
-
memory/4960-165-0x0000000006F50000-0x0000000006F8C000-memory.dmpFilesize
240KB
-
memory/4960-161-0x0000000006230000-0x0000000006242000-memory.dmpFilesize
72KB
-
memory/4984-177-0x0000000000000000-mapping.dmp
-
memory/5000-167-0x0000000000000000-mapping.dmp