Overview

overview

10

Static

static

1

kujik.exe

windows7-x64

10

kujik.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    kujik.exe

  • Size

    32.9MB

  • Sample

    230221-2erhxagh32

  • MD5

    a96513026d7c3abdeb5f31abb91dc86f

  • SHA1

    85a0327efaa990584591029f61ee9cb8d2eebd84

  • SHA256

    c9f747866b3808056c29656c2ed8dc9c74364e09604fe77a1984bd1247605842

  • SHA512

    d426a4437a12636c8abb833d870ded636cc4bc332a724558fc0773d856ff101099c28fa5bbe40bf46dfc91052b650fabe18c5988fbf322bac05cf1241f7f81ed

  • SSDEEP

    786432:uhNBs1A4fLzRgQCwhcdiUOSqq+vcG9DQSEfrJ7VllwjEcBSZo/Ed0kVNZMTUo:uzQTL6xdiPSqq+v3Ef/llDc0Gy0kVNIZ

Score
10/10
quasarstormkittykijukevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

kijuk

C2

76t7hh-51153.portmap.host:51153

craciton.duckdns.org:7771
Mutex

1cfe7ed6-9001-490c-9121-6234ae195f28

Attributes
  • encryption_key

    2C0C62BDD42E42BC77F98F8E1EE713B43F791267

  • install_name

    SiHost64.exe

  • log_directory

    MicrosoftWindows32

  • reconnect_delay

    69

  • startup_key

    Microsoft Helper

  • subdirectory

    WindowsHTR

Targets

    • Target

      kujik.exe

    • Size

      32.9MB

    • MD5

      a96513026d7c3abdeb5f31abb91dc86f

    • SHA1

      85a0327efaa990584591029f61ee9cb8d2eebd84

    • SHA256

      c9f747866b3808056c29656c2ed8dc9c74364e09604fe77a1984bd1247605842

    • SHA512

      d426a4437a12636c8abb833d870ded636cc4bc332a724558fc0773d856ff101099c28fa5bbe40bf46dfc91052b650fabe18c5988fbf322bac05cf1241f7f81ed

    • SSDEEP

      786432:uhNBs1A4fLzRgQCwhcdiUOSqq+vcG9DQSEfrJ7VllwjEcBSZo/Ed0kVNZMTUo:uzQTL6xdiPSqq+v3Ef/llDc0Gy0kVNIZ

    Score
    10/10
    quasarstormkittykijukevasionspywarestealerthemidatrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks