Overview

overview

10

Static

static

1

BLToolsMod.exe

windows7-x64

10

BLToolsMod.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    91s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    05-02-2023 16:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BLToolsMod.exe

  • Size

    763KB

  • MD5

    869037e716218fb7551d84b8ce7d0ae7

  • SHA1

    12cb776519eeb2d5e6a7ab1ddce3a09f143d5f18

  • SHA256

    305cfdd7d464938cabe66fcf3116df431c10742c775a4a588d38349ea18a7fb6

  • SHA512

    6840e10d1daeacd169dba4a0049bc3b9087726dd45551b9a9587d57ec45d926356ce1656a39fdf35c1acb4020c564ec1f6a910fd83cde99e3ff75195728c72d2

  • SSDEEP

    12288:SAZdPU5ttcsREhy5IYU8OaNISOvsk0gnT467zpmw7OfimWm/YfdFxfJ:S2UVc+EhyuAOaNIBXnT46fpmiOfimWy4

Score
10/10
purecrypterquasarrevengeratoffice04downloaderloaderpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

youhackernetpaingodxd.duckdns.org:5557

blablashitspreading.ddns.net:5557
Mutex

xEoEv3HHdyEIYwJRFM

Attributes
  • encryption_key

    w3WfcmWh1iXT9cxeKFEX

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Detect PureCrypter injector 1 IoCs
    loader
  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

    loaderdownloaderpurecrypter
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 6 IoCs
  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe
    "C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Users\Admin\AppData\Roaming\Updater-File.exe
      "C:\Users\Admin\AppData\Roaming\Updater-File.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:960
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        3⤵
          PID:1916
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1744
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\llPH3dV70tF2.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1120
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:560
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                5⤵
                • Runs ping.exe
                PID:1868
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1448
          2⤵
          • Program crash
          PID:1720

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\llPH3dV70tF2.bat
        Filesize

        270B

        MD5

        46a5e159f52adba19d306438a2d5eb72

        SHA1

        821260a538d3771a0ebb11f895697331a96daa35

        SHA256

        100273d3faefb83389d2db3b89aae8dadeb574c74776ade730faf9d9a0239933

        SHA512

        0c42da43a85388d85bf187406145e0336755f94a324e11c45e2730c288a47c74fa5d9bdccdcd31302df1042ccb9e666e3b3d3d5e2767506f499136b50996f7fc

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Logs\02-05-~1
        Filesize

        224B

        MD5

        fd010ea1b3798c5a0f9fd1494e508383

        SHA1

        340015cc251ac5897f00b945152cc3ca9e28cae3

        SHA256

        39d4c767e2fd899411f963eb23a06f531e7b65c6f2eb02db09dbb116a2dc7fee

        SHA512

        39d6d2cfcea4bf213ecb891e382951edd33f1c7722fa1a2051f31628ade3d5cb829864d9c5044cc40ff8363989324096d35ea9261dc9ca12d9b8ac8814d9832a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Updater-File.exe
        Filesize

        6KB

        MD5

        be2c9d9f3e9206eb7d809157ea37d0ea

        SHA1

        79fc984efb6d9e58c21f7c5dee8de2fc44710f62

        SHA256

        f07ca31e483745ac9fe74da53f939a797f3f8868717eb29f9f0d1286b89f6b79

        SHA512

        2510583a2690be0c48614fa21d24c2919d6c4f704d897ed4bb5a523d0bbc3616bd2aba7a6b22120068a24aa756a9b6f37feeb2b8eb461b86c2eacde935478d4b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Updater-File.exe
        Filesize

        6KB

        MD5

        be2c9d9f3e9206eb7d809157ea37d0ea

        SHA1

        79fc984efb6d9e58c21f7c5dee8de2fc44710f62

        SHA256

        f07ca31e483745ac9fe74da53f939a797f3f8868717eb29f9f0d1286b89f6b79

        SHA512

        2510583a2690be0c48614fa21d24c2919d6c4f704d897ed4bb5a523d0bbc3616bd2aba7a6b22120068a24aa756a9b6f37feeb2b8eb461b86c2eacde935478d4b

        Download Submit

      • \Users\Admin\AppData\Roaming\Updater-File.exe
        Filesize

        6KB

        MD5

        be2c9d9f3e9206eb7d809157ea37d0ea

        SHA1

        79fc984efb6d9e58c21f7c5dee8de2fc44710f62

        SHA256

        f07ca31e483745ac9fe74da53f939a797f3f8868717eb29f9f0d1286b89f6b79

        SHA512

        2510583a2690be0c48614fa21d24c2919d6c4f704d897ed4bb5a523d0bbc3616bd2aba7a6b22120068a24aa756a9b6f37feeb2b8eb461b86c2eacde935478d4b

        Download Submit

      • memory/320-66-0x0000000007170000-0x00000000073DE000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/320-62-0x0000000000A60000-0x0000000000A68000-memory.dmp

        Filesize

        32KB

        Download

      • memory/320-72-0x0000000004EA0000-0x0000000004EFE000-memory.dmp

        Filesize

        376KB

        Download

      • memory/960-70-0x000000006CB30000-0x000000006D0DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/960-69-0x000000006CB30000-0x000000006D0DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/960-71-0x000000006CB30000-0x000000006D0DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1744-77-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/1744-81-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/1744-74-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/1744-83-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/1744-76-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/1744-78-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/1744-73-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/2032-65-0x0000000000475000-0x0000000000486000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2032-54-0x0000000000390000-0x0000000000454000-memory.dmp

        Filesize

        784KB

        Download

      • memory/2032-57-0x0000000075A71000-0x0000000075A73000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2032-56-0x0000000000380000-0x0000000000386000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2032-55-0x0000000006EB0000-0x0000000007006000-memory.dmp

        Filesize

        1.3MB

        Download