Overview

overview

10

Static

static

10

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Resubmissions

19-09-2023 04:16

230919-evw21aeg6z 10

19-09-2023 03:45

230919-ebdfjsef3t 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f

  • Size

    3.1MB

  • Sample

    230919-ebdfjsef3t

  • MD5

    28e03a0e0871a90ee993db029c25ded5

  • SHA1

    651f0c06a5d0bf37a8a7987626a89135b5384459

  • SHA256

    51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f

  • SHA512

    c13997f114735d9db85205b7b76f5236c0721babd850528bd066d0ed0059bd82650008bf52a8172a9a183ad8b90beb16c39b682511c6750d896ef99c10a57a60

  • SSDEEP

    49152:q+4bzTvij0votBkRPJMMB+9YUkSk+yfzBcpoG9SbTHHB72eh2NT:q+i/i5tBkRPJMM2YUkSk5u

Score
10/10
phobosquasarcuntevasionpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

cunt

C2

37.139.129.145:5512

37.139.129.145:5505
Mutex

5a092138-836c-4206-9af6-8a540736ef07

Attributes
  • encryption_key

    D21B49539C3EA494897D43CF75CBF5F989F0792A

  • install_name

    ntoskrnl.exe

  • log_directory

    SystemLogs

  • reconnect_delay

    3000

  • startup_key

    Kernel

  • subdirectory

    Kernel

Targets

    • Target

      51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f

    • Size

      3.1MB

    • MD5

      28e03a0e0871a90ee993db029c25ded5

    • SHA1

      651f0c06a5d0bf37a8a7987626a89135b5384459

    • SHA256

      51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f

    • SHA512

      c13997f114735d9db85205b7b76f5236c0721babd850528bd066d0ed0059bd82650008bf52a8172a9a183ad8b90beb16c39b682511c6750d896ef99c10a57a60

    • SSDEEP

      49152:q+4bzTvij0votBkRPJMMB+9YUkSk+yfzBcpoG9SbTHHB72eh2NT:q+i/i5tBkRPJMM2YUkSk5u

    Score
    10/10
    quasarcuntspywaretrojanphobosevasionpersistenceransomwarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (54) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

2
T1082

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Resource Development

Reconnaissance

Tasks