Overview

overview

10

Static

static

3

Medieval Cracked.exe

windows7-x64

7

Medieval Cracked.exe

windows10-1703-x64

10

Medieval Cracked.exe

windows10-2004-x64

8

Resubmissions

15-07-2023 06:45

230715-hh3kssaa9w 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Medieval Cracked.exe

  • Size

    51.9MB

  • Sample

    230715-hh3kssaa9w

  • MD5

    13a623a6fd5ad41c9cba1b7ddfa30878

  • SHA1

    c3f0a4c9961146fbf046ab6b0e572bcd9c4a923b

  • SHA256

    99198643f2b0564539abec2e6e7ca8c7c455e203077b8751a9a8400807ad1ddc

  • SHA512

    de47b6fc1575d49400ab630780ba45c9e657ed449b94532591fa6c8a81b2d5aab3715d6df0088d20dab431f0f980155dc994b0ce2b11989281b8d8b731576faa

  • SSDEEP

    1572864:tYQtiTgQJ7B1uTmU/uwxGBX21FFt1K8NviPc:6V7Lu6tw0oXvAc

Score
10/10
quasaroffice04pyinstallerspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

2.56.245.127:7707

Mutex

bfe1300a-d0c1-438c-ac10-db9b3f06e51f

Attributes
  • encryption_key

    EAEF8600AE6AE9669093373D05E8E9E509F6D52F

  • install_name

    Microsoft Language Service.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Microsoft Language Service

  • subdirectory

    WindowsHost

Targets

    • Target

      Medieval Cracked.exe

    • Size

      51.9MB

    • MD5

      13a623a6fd5ad41c9cba1b7ddfa30878

    • SHA1

      c3f0a4c9961146fbf046ab6b0e572bcd9c4a923b

    • SHA256

      99198643f2b0564539abec2e6e7ca8c7c455e203077b8751a9a8400807ad1ddc

    • SHA512

      de47b6fc1575d49400ab630780ba45c9e657ed449b94532591fa6c8a81b2d5aab3715d6df0088d20dab431f0f980155dc994b0ce2b11989281b8d8b731576faa

    • SSDEEP

      1572864:tYQtiTgQJ7B1uTmU/uwxGBX21FFt1K8NviPc:6V7Lu6tw0oXvAc

    Score
    10/10
    quasaroffice04spywarestealertrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Hidden Files and Directories

1
T1158

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Hidden Files and Directories

1
T1158

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks