Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f89d7be9b2bf898e1d7d23a19303f31f6d9b00fea130683f7163ffdce7a5655f

  • Size

    5.3MB

  • Sample

    230409-1737qsfc4y

  • MD5

    6eea1248a188ec88b2e7d50242da4965

  • SHA1

    a08f6574178ab2cc4fed339caee2e0b584a7ca38

  • SHA256

    f89d7be9b2bf898e1d7d23a19303f31f6d9b00fea130683f7163ffdce7a5655f

  • SHA512

    76c8c91ad1020956393b6e8fbc7ce02866fa1c99fa913c749662b74ea161d5f9137ec2691fb23f07d8d286db2e351297704898dcbdc18d08b7b276c5fd351570

  • SSDEEP

    49152:ycVV1BCjBNwU6dK2NUyig6XiRlFU3CRVVGX0eRpL5nUi1JQfPU3+8qy9A+fC1pKg:7

Score
10/10
quasarredlinesectopratcheatnetwork1discoveryevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

154.81.220.233:28105

Extracted

Family

quasar

Version

1.4.1

Botnet

Network1

C2

auroraforge.art:55326

thesirenmika.com:55713
Mutex

d8de8ec1-301f-4631-8c5e-1f6b72751c16

Attributes
  • encryption_key

    A730DFF691ED1723ED88E36A2C5E7ED5CCF91DD1

  • install_name

    up2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      f89d7be9b2bf898e1d7d23a19303f31f6d9b00fea130683f7163ffdce7a5655f

    • Size

      5.3MB

    • MD5

      6eea1248a188ec88b2e7d50242da4965

    • SHA1

      a08f6574178ab2cc4fed339caee2e0b584a7ca38

    • SHA256

      f89d7be9b2bf898e1d7d23a19303f31f6d9b00fea130683f7163ffdce7a5655f

    • SHA512

      76c8c91ad1020956393b6e8fbc7ce02866fa1c99fa913c749662b74ea161d5f9137ec2691fb23f07d8d286db2e351297704898dcbdc18d08b7b276c5fd351570

    • SSDEEP

      49152:ycVV1BCjBNwU6dK2NUyig6XiRlFU3CRVVGX0eRpL5nUi1JQfPU3+8qy9A+fC1pKg:7

    Score
    10/10
    quasarredlinesectopratcheatnetwork1discoveryevasioninfostealerpersistenceratspywarestealertrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Downloads MZ/PE file

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Hidden Files and Directories

2
T1158

File Permissions Modification

1
T1222

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks