Overview

overview

10

Static

static

1

HEUR-Troja...ae.exe

windows7-x64

10

HEUR-Troja...ae.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-02-2023 00:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe

  • Size

    16.5MB

  • MD5

    b9874cdde692f485a1c609aeafd075c3

  • SHA1

    8806ac9b20eaa78f89b5dfd1b78a3c7fb5cbffce

  • SHA256

    66fdb47c24f569d7fae5707024809698812a40458216414827d3ea57cfb19dbb

  • SHA512

    955e5e731e2d3fe9299fb90995fba95409d5b6086306960defbdc17f855175c63ccdb713f16b3e6ac3ee007f2317461d2e8693afefc56e7de494d879a3fd0aee

  • SSDEEP

    98304:AQC5lSLCSHP8Z2HOR0mW1LCjqOMKmxE6G:LC5R0mh

Score
10/10
bitrathiveratquasaretratspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

ET

C2

orcus.dyndns.org:1605

lsdw.dyndns.org:1606

labeokunta.dynnds.org:1606

xpert.dyndns.biz:1605

qz.dyndns.org:1605

imageline.dyndns.org:1606

kontakt-update.selfip.net:1606
Mutex

QSR_MUTEX_X8N0tEAk1p1Gbe9ioj

Attributes
  • encryption_key

    jVpAHlJqCIQYSDZsOYMx

  • install_name

    Client.exe

  • log_directory

    db.xlm

  • reconnect_delay

    30000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

bitrat

Version

1.38

C2

hiv.dyndns.org:2222

Attributes
  • communication_password

    194dd40edef1873b88c241057bb55f1b

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • HiveRAT payload 11 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
      "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4148
    • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
      "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:3952
    • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
      "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe"
      2⤵
        PID:4668
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 188
          3⤵
          • Program crash
          PID:3844
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4668 -ip 4668
      1⤵
        PID:4608

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe.log
        Filesize

        323B

        MD5

        4af72c00db90b95c23cc32823c5b0453

        SHA1

        80f3754f05c09278987cba54e34b76f1ddbee5fd

        SHA256

        5a99dc099cb5297a4d7714af94b14f170d8a0506899c82d6b8231a220f8dba5d

        SHA512

        47aa798c4822bfd0b2a9110fcd1531494da99cf6e4aba5b59bfc36e21fcb1bdb5378189318bbb8519f0e8be732d90637f787ab63997d106bbcff31396155f9ef

        Download Submit

      • memory/2952-133-0x0000000006760000-0x00000000067FC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2952-132-0x0000000000D70000-0x0000000001DFC000-memory.dmp

        Filesize

        16.5MB

        Download

      • memory/3952-172-0x0000000001820000-0x00000000018AE000-memory.dmp

        Filesize

        568KB

        Download

      • memory/3952-178-0x0000000001820000-0x00000000018AE000-memory.dmp

        Filesize

        568KB

        Download

      • memory/3952-182-0x0000000001820000-0x00000000018AE000-memory.dmp

        Filesize

        568KB

        Download

      • memory/3952-139-0x0000000001820000-0x00000000018AE000-memory.dmp

        Filesize

        568KB

        Download

      • memory/3952-138-0x0000000000400000-0x000000000048E000-memory.dmp

        Filesize

        568KB

        Download

      • memory/3952-183-0x0000000001820000-0x00000000018AE000-memory.dmp

        Filesize

        568KB

        Download

      • memory/3952-181-0x0000000001820000-0x00000000018AE000-memory.dmp

        Filesize

        568KB

        Download

      • memory/3952-136-0x0000000000000000-mapping.dmp

        Download

      • memory/3952-174-0x0000000001820000-0x00000000018AE000-memory.dmp

        Filesize

        568KB

        Download

      • memory/3952-173-0x0000000001820000-0x00000000018AE000-memory.dmp

        Filesize

        568KB

        Download

      • memory/3952-155-0x0000000001820000-0x00000000018AE000-memory.dmp

        Filesize

        568KB

        Download

      • memory/3952-171-0x0000000001820000-0x00000000018AE000-memory.dmp

        Filesize

        568KB

        Download

      • memory/3952-168-0x0000000001820000-0x00000000018AE000-memory.dmp

        Filesize

        568KB

        Download

      • memory/4148-137-0x0000000001760000-0x00000000017BE000-memory.dmp

        Filesize

        376KB

        Download

      • memory/4148-194-0x00000000061E0000-0x00000000061F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4148-196-0x0000000007380000-0x000000000738A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4148-151-0x0000000005D20000-0x0000000005DB2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4148-195-0x0000000007020000-0x000000000705C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4148-134-0x0000000000000000-mapping.dmp

        Download

      • memory/4148-135-0x0000000000400000-0x000000000045E000-memory.dmp

        Filesize

        376KB

        Download

      • memory/4148-144-0x0000000006230000-0x00000000067D4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4148-193-0x0000000005C80000-0x0000000005CE6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4668-145-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/4668-142-0x0000000000000000-mapping.dmp

        Download

      • memory/4668-165-0x0000000001500000-0x00000000018CE000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/4668-147-0x0000000001500000-0x00000000018CE000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/4668-156-0x0000000001500000-0x00000000018CE000-memory.dmp

        Filesize

        3.8MB

        Download