General
-
Target
41052dd1d4bceddb8765359ef8e1f319fed55ce6c427e47f7eddebaf740ac97dexeexe_JC.exe
-
Size
6.1MB
-
Sample
230813-le6d3aac99
-
MD5
2e05358b2c35a5279467c6780ae16c68
-
SHA1
833537db4ed37ebdf490d4085e236333ba36ffb0
-
SHA256
41052dd1d4bceddb8765359ef8e1f319fed55ce6c427e47f7eddebaf740ac97d
-
SHA512
be9563c965ea01eca523e806fc9e69a4a0e6cecfe653e04b6deadda046d57fa9bfa766bfe6086bfb800fcaab8b99c71330cd342eaa2bb938d60c07b84763421e
-
SSDEEP
98304:9lvGIat2c2MyIfL50dC0R+1VlR88ZBgTCh1m4V/:9lvG1FyIT5lmqeT+r
Static task
static1
Behavioral task
behavioral1
Sample
41052dd1d4bceddb8765359ef8e1f319fed55ce6c427e47f7eddebaf740ac97dexeexe_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
41052dd1d4bceddb8765359ef8e1f319fed55ce6c427e47f7eddebaf740ac97dexeexe_JC.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
redline
KMSpico-Ad
107.189.13.48:41805
-
auth_value
6ac304450f04a28ca3b5bc80d4f05224
Extracted
quasar
1.3.0.0
Adware 1.1
proxy-29837846723.com:80
ewmh50NpQc3nWUoNTl
-
encryption_key
1lTgL3je84LTD6QrtS40
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
30000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
41052dd1d4bceddb8765359ef8e1f319fed55ce6c427e47f7eddebaf740ac97dexeexe_JC.exe
-
Size
6.1MB
-
MD5
2e05358b2c35a5279467c6780ae16c68
-
SHA1
833537db4ed37ebdf490d4085e236333ba36ffb0
-
SHA256
41052dd1d4bceddb8765359ef8e1f319fed55ce6c427e47f7eddebaf740ac97d
-
SHA512
be9563c965ea01eca523e806fc9e69a4a0e6cecfe653e04b6deadda046d57fa9bfa766bfe6086bfb800fcaab8b99c71330cd342eaa2bb938d60c07b84763421e
-
SSDEEP
98304:9lvGIat2c2MyIfL50dC0R+1VlR88ZBgTCh1m4V/:9lvG1FyIT5lmqeT+r
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
XMRig Miner payload
-
Creates new service(s)
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1