Analysis
-
max time kernel
143s -
max time network
179s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
17-04-2023 11:32
General
-
Target
bby.exe
-
Size
16.0MB
-
MD5
d7e48e5a49efe9ed774546fa7d35d71a
-
SHA1
06212065ffe07d1321c8d85bf5c45871683fb197
-
SHA256
b4f6e6290b1e185bff0baf1b1f3a16291bb2ceb3528051a2aa9528c43231e710
-
SHA512
7dcfc267f527d27d6cb58bd950241b4a8a658b34bc4696f308fd5448b4111d64b93078fedf8d2c138eef83b6148372d8c887b74aae8291fc05c665fbe3d4eeb1
-
SSDEEP
393216:2U6K+uYp1UjvoWFd6vtcUyPaqIddvWiV3lbqSV6htNQcfzlRFGH:2zKnjvpK1cUhZWwbqM6htNQcffFGH
Malware Config
Extracted
quasar
2.1.0.0
Office04
cable-cp.at.playit.gg:21596
VNM_MUTEX_c2q7y2ayYutZ2XaYe7
-
encryption_key
GDDG0qqm5dHuoT6GjWWz
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft one Drive
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 7 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detects Redline Stealer samples 2 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 7 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bby.exe"C:\Users\Admin\AppData\Local\Temp\bby.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\paypal.exe"C:\Users\Admin\AppData\Local\Temp\paypal.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft one Drive" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\paypal.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft one Drive" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lzp8eloHjKWN.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 18644⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XZaygvPgDJHT.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Paypal.exe"C:\Users\Admin\AppData\Local\Temp\paypal.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Proxy Shifter.exe"C:\Users\Admin\AppData\Local\Temp\Proxy Shifter.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -noprofile -4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e0rg1jmi\e0rg1jmi.cmdline"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES714.tmp" "c:\Users\Admin\AppData\Local\Temp\e0rg1jmi\CSC550B2A6214D34D05A9A34B2E98711C87.TMP"6⤵
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51efce85e583a7a2f123317a20f889d04
SHA160f71aa73ea2e2a48ed1c17e3c6d440abf39c914
SHA2562b5532a94879134a876b11c188ade1a61deaba6a80fe1f3a3a77cc442f1cca0d
SHA51245a5cd283e6a6ac34c3d8b1a6d73dc1cf52d8c974cf84624e8e9924eddaf354ccda929bce728b47db2b62175e47bdc3eaca6bc6b84d3565881fa87c50319d24c
-
Filesize
672KB
MD5561a7ddda53177362dc0ac85ec84421e
SHA11d0f2a9dd397a6d435063fcdd76f02dd04ab1b7a
SHA256b3e2c9fbc435b5e2f552234b0e1c4ec7bb2ebe5f53413268b1089038cfe5748b
SHA5128dfcaf20f68e0c9ba7e768929e12e930a466d352ae8f5b452af0e603722e048b60fb4272c280a52f87eb3d3f25ce691ed6afd4285f440f18d68af22fe8d6f6d1
-
Filesize
672KB
MD5561a7ddda53177362dc0ac85ec84421e
SHA11d0f2a9dd397a6d435063fcdd76f02dd04ab1b7a
SHA256b3e2c9fbc435b5e2f552234b0e1c4ec7bb2ebe5f53413268b1089038cfe5748b
SHA5128dfcaf20f68e0c9ba7e768929e12e930a466d352ae8f5b452af0e603722e048b60fb4272c280a52f87eb3d3f25ce691ed6afd4285f440f18d68af22fe8d6f6d1
-
Filesize
36.8MB
MD57cbac120d865d4c4c218b06144580b0a
SHA119afc5f464e84dc362459ab53dd3b6947b708d2e
SHA25677f211fe4f26bbf491ee2a4eb6ac07a123a1ae40b59062d88c222e61b60c082b
SHA512439ffd9e287b9c7468c9f85b52f0734b8b98e4b917576b2e87a6775b0d65b3da3103341c743b93722726795eadf86148c1b2c573a6f4a7b1c2cf5f307cfca625
-
Filesize
36.8MB
MD57cbac120d865d4c4c218b06144580b0a
SHA119afc5f464e84dc362459ab53dd3b6947b708d2e
SHA25677f211fe4f26bbf491ee2a4eb6ac07a123a1ae40b59062d88c222e61b60c082b
SHA512439ffd9e287b9c7468c9f85b52f0734b8b98e4b917576b2e87a6775b0d65b3da3103341c743b93722726795eadf86148c1b2c573a6f4a7b1c2cf5f307cfca625
-
Filesize
1KB
MD5001db702d57763bf3a3f10dbe6bd7c9f
SHA1384d42a6626863635d72b088fcc3677686528e1e
SHA256d69c5f85195754e8220a34c643a0ce32e27152f8445be3331a37c98398fbb618
SHA512e75018188c8420bd1edb2fd5f330bbe7ed03d89d545a5675b743ccb50f761246efb4e1546c4efe564b3707d31a952787ccd1b1ee6a4a8f62bdeb7d344cb5470a
-
Filesize
203B
MD5d4180895c407c662bf596df86a552f11
SHA11fba8d772cc824ad44977e03ea56ea5e55d321e1
SHA2562459f0d5f78fe329355db9ca3f5a856e4a5e1836ab14eac4358d1e38f6b88bc7
SHA51233fd1844386eaa440338bbbdeaec9ca5bd517794820241e7b0764ab41fad5d6c489bb2f0818f51e21222f3d3dbcd5bb65e8a35b501aa1ff1ddc4be23f63b60bb
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
3KB
MD540a35eb4a4c5a731d48921bfbe23b779
SHA10523f279dcb36ac8b74a75879a63b2a7e6fe0f20
SHA256fb5ba944ee578b661783883b1a2285ae29f7b066745d401f147319fc6cf3d27a
SHA512a25115d21a25646ef65f6a6b51b1883190d898c0db278a76142f6bd4956dafef8e63fa48c561d6f7dbcae7b11c5c5ec5d901303e577293387673c67f5a2d4b8e
-
Filesize
196B
MD5b6b99bf33ced020616129f1ba959957d
SHA158a55396084255eb033a8471a3281ac2ae8f284c
SHA256710e135854f72bf92bc32e7bbbf9d86c31add373e8b987d8206df0324383902f
SHA5122da7ac69899a0fee8c111402053203cc7eb64a5ac3a24cd1d2ddfbde91ed1a5650bc5503073c36127e757cdbf506479e88ce500fb6c2ffaa950028994c930b06
-
Filesize
672KB
MD5561a7ddda53177362dc0ac85ec84421e
SHA11d0f2a9dd397a6d435063fcdd76f02dd04ab1b7a
SHA256b3e2c9fbc435b5e2f552234b0e1c4ec7bb2ebe5f53413268b1089038cfe5748b
SHA5128dfcaf20f68e0c9ba7e768929e12e930a466d352ae8f5b452af0e603722e048b60fb4272c280a52f87eb3d3f25ce691ed6afd4285f440f18d68af22fe8d6f6d1
-
Filesize
2.6MB
MD54b25dfb983845ff57360c720a429eef4
SHA151a9cad777b37f1c521c6d50b6f49379fb6d0a06
SHA25653b88af8a78050718e1a282af077701921f1e2c7e0b4592d197eab2018240282
SHA512b808133885ef35cba2ea81d37a9f996b121a91e459c68cf5b98cab2a53f783927a0023ecc095b5664fef1bcd463f8b8b42b51f8511fda25e21141693aed4ec77
-
Filesize
141KB
MD5dc92b8e77d869866a6af82409fae0af2
SHA1a0edf2ddf35304854a134eac14637239fe319292
SHA25681aab2bb7227d24493d1f0d2483a307be716c84a733b54f69e671071715e10c2
SHA512dbfb1656b9aeb116993e9034d8a422a8d61d89f861221e15491d8dde04231eaa357573de59eab65b49533e03f06699a508dd27ed6b85ac94c882f505d22a0bdb
-
Filesize
419B
MD5bf77c98084bde13aa379a5527a0f5850
SHA18a4d1307c3952d00ab3279baee4a03f899de7f1c
SHA256c88eb353b4e1fe7f02529f9e8b48b21cee2c813674b32843136861f885053e3f
SHA5128237fb209695c2568f4d3ada3181eb9a65ad16140896a5f8013ae267048ecd6994cddb25fc7ca0849bb0c484ba7be7a738a3ca0cad6e85d75587c4a2c37c60ef
-
Filesize
672KB
MD5561a7ddda53177362dc0ac85ec84421e
SHA11d0f2a9dd397a6d435063fcdd76f02dd04ab1b7a
SHA256b3e2c9fbc435b5e2f552234b0e1c4ec7bb2ebe5f53413268b1089038cfe5748b
SHA5128dfcaf20f68e0c9ba7e768929e12e930a466d352ae8f5b452af0e603722e048b60fb4272c280a52f87eb3d3f25ce691ed6afd4285f440f18d68af22fe8d6f6d1
-
Filesize
672KB
MD5561a7ddda53177362dc0ac85ec84421e
SHA11d0f2a9dd397a6d435063fcdd76f02dd04ab1b7a
SHA256b3e2c9fbc435b5e2f552234b0e1c4ec7bb2ebe5f53413268b1089038cfe5748b
SHA5128dfcaf20f68e0c9ba7e768929e12e930a466d352ae8f5b452af0e603722e048b60fb4272c280a52f87eb3d3f25ce691ed6afd4285f440f18d68af22fe8d6f6d1
-
Filesize
672KB
MD5561a7ddda53177362dc0ac85ec84421e
SHA11d0f2a9dd397a6d435063fcdd76f02dd04ab1b7a
SHA256b3e2c9fbc435b5e2f552234b0e1c4ec7bb2ebe5f53413268b1089038cfe5748b
SHA5128dfcaf20f68e0c9ba7e768929e12e930a466d352ae8f5b452af0e603722e048b60fb4272c280a52f87eb3d3f25ce691ed6afd4285f440f18d68af22fe8d6f6d1
-
Filesize
652B
MD5b0e328ebd580fba5dff592de9b69d2d4
SHA14555606bc8f6bdc273b758a366e2f9b9fda79d8f
SHA256be6e88d03b56bea78f3ef38241fd17fb339307a575013f3107a2a223f7d5d2f3
SHA5123d1f6fb38f1bbf548781a771164c4cc994f155a4d5fcf555746ad18a0b75bb9b7901547394743619a43cb69564fd9139d9cdd01de7d447b4c36966361bc0e365
-
Filesize
331B
MD5290cee718da5975e051415a46af47a4a
SHA18099250c47bb93d821def350b467521e7cf8d5de
SHA25626d220f0926af717fb195e1ec05f2ecccee3fbd37fa92148774bb5604557c9c9
SHA512306d86ec0c4bc64594b4ca336822030926eaea0873ccdbcf989a721d307b19831761a15b3a222f6ec0dcc44ba0fbacac6ffbe7da0f7a447d5d34d76f3f029510
-
Filesize
369B
MD55a640408da1646ed0b97d84832adc5ce
SHA1803d1da20d0e5b7653343537f2fce5f98c9f18a5
SHA25662ec0557114c5eb62d1770485ffb91bebeed0195ebeb59c7ebc6c7d1a4f094fa
SHA5125d2680246dbb7f38224a0d26a06705389eddcfb0a6223125a6ea74b99ce8af75453994bee3d9afa436bf89ba926a64535af68ab08de0bf892f2d05e175dbf32c
-
Filesize
2.6MB
MD54b25dfb983845ff57360c720a429eef4
SHA151a9cad777b37f1c521c6d50b6f49379fb6d0a06
SHA25653b88af8a78050718e1a282af077701921f1e2c7e0b4592d197eab2018240282
SHA512b808133885ef35cba2ea81d37a9f996b121a91e459c68cf5b98cab2a53f783927a0023ecc095b5664fef1bcd463f8b8b42b51f8511fda25e21141693aed4ec77
-
Filesize
141KB
MD5dc92b8e77d869866a6af82409fae0af2
SHA1a0edf2ddf35304854a134eac14637239fe319292
SHA25681aab2bb7227d24493d1f0d2483a307be716c84a733b54f69e671071715e10c2
SHA512dbfb1656b9aeb116993e9034d8a422a8d61d89f861221e15491d8dde04231eaa357573de59eab65b49533e03f06699a508dd27ed6b85ac94c882f505d22a0bdb
-
Filesize
472KB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
696KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
592KB
-
Filesize
216KB
-
Filesize
300KB
-
Filesize
204KB
-
Filesize
120KB
-
Filesize
112KB
-
Filesize
3.3MB
-
Filesize
660KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
40KB