Overview

overview

10

Static

static

5

78973c8f95...66.exe

windows7-x64

10

78973c8f95...66.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a364b35d4dbdcf328367df843a6286c1.bin

  • Size

    12.3MB

  • Sample

    230306-b1r4fshf6x

  • MD5

    303493f1a6f9ad2e3cf524a182414a63

  • SHA1

    eca170bcc80856f5be4550b40d43f045a7ce901e

  • SHA256

    9fd04a33577137b35d9fbe5ac37b8bc59fe107a259fc9430c2492afeaab80842

  • SHA512

    a4f4c567bff065fa30e1cbdfc929d31f464bd5d997a3c6a41d6a25d6bfc17203128976b59b2275652dda2e9b76e4753c37cdd44c5a4014e3b390949285b3edcc

  • SSDEEP

    196608:3tktDAzvM8n8DAAUFo9Tfv9T2GwxZFb37EH3XNV9AXUj6HQaTKSSMQ1ydSdK:W10n8EvKTH0Ge2XN4xQxv11OSs

Score
10/10
limeratquasarstoragepersistenceratspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

storage

C2

xmarvel.ddns.net:4782

2.58.56.188:4782
Mutex

Slbw7KtgA7WecQEqcR

Attributes
  • encryption_key

    BTg0dEybEXwn6MM90CP2

  • install_name

    ccleaner.exe

  • log_directory

    windowfirewalls

  • reconnect_delay

    1

  • startup_key

    windowsfirewall.msc

  • subdirectory

    windowsfirewall

Extracted

Family

limerat

Wallets

13WHQ6XEobZYNAjHZPJHkDuzMS8TpgkRqm

Attributes
  • aes_key

    key

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/nW4J6TiP

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    windowsdefender.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Extracted

Family

quasar

Attributes
  • reconnect_delay

    1

Targets

    • Target

      78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

    • Size

      12.9MB

    • MD5

      a364b35d4dbdcf328367df843a6286c1

    • SHA1

      31a54c5118109afa7d5c7c465bb4d3b25c947284

    • SHA256

      78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66

    • SHA512

      e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826

    • SSDEEP

      196608:Lg+Aalc1yGZIh6L5iYl/dsy+7d3tFELLs1cAm6f971YAmX1ZK1vauo9Dn:Lgsl5hef1k7ptmQbm6fnmlZsoRn

    Score
    10/10
    limeratquasarstoragepersistenceratspywaretrojan

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks