Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    MMLo7.Rat.rar

  • Size

    5.7MB

  • Sample

    230822-maabhadb7v

  • MD5

    4747547f047d47bd37bc0d1b65625694

  • SHA1

    827e3f9ca857ed95ef8185c80e5fa85fdffa28e4

  • SHA256

    091833fb986ac8a78a9a33ae7852d2b02d510348bdcb915d4e2e51a6de27f64a

  • SHA512

    3336de360626d125c4777d626a0790c69faf209c642d99d085cd72f92b9e5ba93aca9f9c92d81cb1e3b2ee21f6ff12cf9c6fe6ecbe9554ad846fa1cd74874241

  • SSDEEP

    98304:HtkSjvhd8cMOBhzp1svAJFF5N7nicdRaDzmLW/nJHksov7iUsPIUDjvEQnQLligi:HtBjJd8vazEQFPN7tAeaBLNUsPIUvMUL

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    5000

Extracted

Family

xworm

Attributes
  • install_file

    USB.exe

Extracted

Family

quasar

Version

1.3.3.7

Botnet

Office04

C2

127.0.0.1:305

Mutex

QSR_MUTEX_2Q0xuNOWuzstz1nIHm

Attributes
  • encryption_key

    yXJmgz868tgJWmotirHr

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      MMLo7.Rat.rar

    • Size

      5.7MB

    • MD5

      4747547f047d47bd37bc0d1b65625694

    • SHA1

      827e3f9ca857ed95ef8185c80e5fa85fdffa28e4

    • SHA256

      091833fb986ac8a78a9a33ae7852d2b02d510348bdcb915d4e2e51a6de27f64a

    • SHA512

      3336de360626d125c4777d626a0790c69faf209c642d99d085cd72f92b9e5ba93aca9f9c92d81cb1e3b2ee21f6ff12cf9c6fe6ecbe9554ad846fa1cd74874241

    • SSDEEP

      98304:HtkSjvhd8cMOBhzp1svAJFF5N7nicdRaDzmLW/nJHksov7iUsPIUDjvEQnQLligi:HtBjJd8vazEQFPN7tAeaBLNUsPIUvMUL

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      MMLo7 Rat.exe

    • Size

      2.8MB

    • MD5

      2dc24c81438806bd03b492b9a3f3c55c

    • SHA1

      1b62f6d53570d7cd3c8d04e6ea7e349b5de5cc89

    • SHA256

      3edd74d68dd78681ed9eae3973ee2fb878c60e6e24dfa313ea2b4547008b1149

    • SHA512

      f03ef03ffd926c35a6c88be065a8b6174af323a9fc633fc8d0c1ee55bf8b2eb5ef824d9c9feda21104dd10ff7f0d8d0660e9d4ba0cd8a932dd5d8e342f023ce1

    • SSDEEP

      49152:cTtjEoXzJndn324ktdDyXqimfg9vdsIvQBLjEWdK/EEj8iG/MRmJ:stnXzJ12lDyXJMsvGs8Ljc7oRR

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Detected potential entity reuse from brand microsoft.

    • Target

      turingmachine.exe

    • Size

      286KB

    • MD5

      c81a9adf64819041ac1435fab28004e3

    • SHA1

      a126d54caabbdd6456ac1ddd57a4ead629f4f287

    • SHA256

      5a1c7a22a6fbe36701b53b49a134ad37ab6194030753824a1bef260862902ac8

    • SHA512

      3ec5bc46bd46a06271905614adde9e60dd30d2315eb700d36852c6d2e1207a6218d007a7eb9ef2f0134eae53b1a04305be61e314e0ca426e132e8660e0bdcf58

    • SSDEEP

      6144:lGz3mOwb5nxTfSUkAxzi1jZtV6GUvUwibiCcefPgMJjaTbMFfCNB53C:2YxrOKHibiCce3jaU6B53C

MITRE ATT&CK Enterprise v15

Tasks