quasar | 97ea1071bd6cee9cfeae027600f958429b1564dcd16584482bf66a8f21454ecd

Analysis

max time kernel
2s
max time network
156s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97ea1071bd6cee9cfeae027600f958429b1564dcd16584482bf66a8f21454ecd.exe
Size

1.4MB
MD5

b841fb34d646b046ecf80b647efded35
SHA1

f932c320eb44d95d5e6193c85c5dab62d21868fb
SHA256

97ea1071bd6cee9cfeae027600f958429b1564dcd16584482bf66a8f21454ecd
SHA512

b406b513a98ac83a78bdda6772db79e2d6aad57247a5bd74dc9a4691b0a460c7a7058276c8241a433e9f74d561d5ddc1b64191cc2fc61bef0df1ee55f2488f4d
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

10^/10

quasar -evasion spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

94.131.105.161:12344

Mutex

QSR_MUTEX_UEgITWnMKnRP3EZFzK

Attributes

encryption_key
5Q0JQBQQfAUHRJTcAIOF
install_name
lient.exe
log_directory
Lugs
reconnect_delay
3000
startup_key
itartup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/memory/868-142-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/868-140-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/868-148-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/868-150-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/868-147-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
1760	netsh.exe
1456	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000012272-80.dat	acprotect
behavioral1/files/0x000b000000012272-81.dat	acprotect

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000012272-80.dat	upx
behavioral1/memory/2668-82-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/files/0x000b000000012272-81.dat	upx
behavioral1/files/0x002f000000014689-79.dat	upx
behavioral1/files/0x002f000000014689-77.dat	upx
behavioral1/memory/2564-76-0x0000000000560000-0x0000000000592000-memory.dmp	upx
behavioral1/files/0x002f000000014689-75.dat	upx
behavioral1/files/0x002f000000014689-74.dat	upx
behavioral1/memory/2668-86-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/2668-88-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral1/memory/2668-91-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/2032-103-0x00000000026E0000-0x0000000002720000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
2380	PING.EXE
1944	PING.EXE
1952	PING.EXE
2688	PING.EXE
2092	PING.EXE

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2852	WMIC.exe
Token: SeSecurityPrivilege	2852	WMIC.exe
Token: SeTakeOwnershipPrivilege	2852	WMIC.exe
Token: SeLoadDriverPrivilege	2852	WMIC.exe
Token: SeSystemProfilePrivilege	2852	WMIC.exe
Token: SeSystemtimePrivilege	2852	WMIC.exe
Token: SeProfSingleProcessPrivilege	2852	WMIC.exe
Token: SeIncBasePriorityPrivilege	2852	WMIC.exe
Token: SeCreatePagefilePrivilege	2852	WMIC.exe
Token: SeBackupPrivilege	2852	WMIC.exe
Token: SeRestorePrivilege	2852	WMIC.exe
Token: SeShutdownPrivilege	2852	WMIC.exe
Token: SeDebugPrivilege	2852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2852	WMIC.exe
Token: SeRemoteShutdownPrivilege	2852	WMIC.exe
Token: SeUndockPrivilege	2852	WMIC.exe
Token: SeManageVolumePrivilege	2852	WMIC.exe
Token: 33	2852	WMIC.exe
Token: 34	2852	WMIC.exe
Token: 35	2852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2852	WMIC.exe
Token: SeSecurityPrivilege	2852	WMIC.exe
Token: SeTakeOwnershipPrivilege	2852	WMIC.exe
Token: SeLoadDriverPrivilege	2852	WMIC.exe
Token: SeSystemProfilePrivilege	2852	WMIC.exe
Token: SeSystemtimePrivilege	2852	WMIC.exe
Token: SeProfSingleProcessPrivilege	2852	WMIC.exe
Token: SeIncBasePriorityPrivilege	2852	WMIC.exe
Token: SeCreatePagefilePrivilege	2852	WMIC.exe
Token: SeBackupPrivilege	2852	WMIC.exe
Token: SeRestorePrivilege	2852	WMIC.exe
Token: SeShutdownPrivilege	2852	WMIC.exe
Token: SeDebugPrivilege	2852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2852	WMIC.exe
Token: SeRemoteShutdownPrivilege	2852	WMIC.exe
Token: SeUndockPrivilege	2852	WMIC.exe
Token: SeManageVolumePrivilege	2852	WMIC.exe
Token: 33	2852	WMIC.exe
Token: 34	2852	WMIC.exe
Token: 35	2852	WMIC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2564	2552	97ea1071bd6cee9cfeae027600f958429b1564dcd16584482bf66a8f21454ecd.exe	28
PID 2552 wrote to memory of 2564	2552	97ea1071bd6cee9cfeae027600f958429b1564dcd16584482bf66a8f21454ecd.exe	28
PID 2552 wrote to memory of 2564	2552	97ea1071bd6cee9cfeae027600f958429b1564dcd16584482bf66a8f21454ecd.exe	28
PID 2552 wrote to memory of 2564	2552	97ea1071bd6cee9cfeae027600f958429b1564dcd16584482bf66a8f21454ecd.exe	28
PID 2564 wrote to memory of 2712	2564	cmd.exe	30
PID 2564 wrote to memory of 2712	2564	cmd.exe	30
PID 2564 wrote to memory of 2712	2564	cmd.exe	30
PID 2564 wrote to memory of 2712	2564	cmd.exe	30
PID 2712 wrote to memory of 2496	2712	cmd.exe	31
PID 2712 wrote to memory of 2496	2712	cmd.exe	31
PID 2712 wrote to memory of 2496	2712	cmd.exe	31
PID 2712 wrote to memory of 2496	2712	cmd.exe	31
PID 2564 wrote to memory of 2488	2564	cmd.exe	33
PID 2564 wrote to memory of 2488	2564	cmd.exe	33
PID 2564 wrote to memory of 2488	2564	cmd.exe	33
PID 2564 wrote to memory of 2488	2564	cmd.exe	33
PID 2488 wrote to memory of 2852	2488	cmd.exe	32
PID 2488 wrote to memory of 2852	2488	cmd.exe	32
PID 2488 wrote to memory of 2852	2488	cmd.exe	32
PID 2488 wrote to memory of 2852	2488	cmd.exe	32
PID 2564 wrote to memory of 2536	2564	cmd.exe	35
PID 2564 wrote to memory of 2536	2564	cmd.exe	35
PID 2564 wrote to memory of 2536	2564	cmd.exe	35
PID 2564 wrote to memory of 2536	2564	cmd.exe	35

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1704	attrib.exe

C:\Users\Admin\AppData\Local\Temp\97ea1071bd6cee9cfeae027600f958429b1564dcd16584482bf66a8f21454ecd.exe
"C:\Users\Admin\AppData\Local\Temp\97ea1071bd6cee9cfeae027600f958429b1564dcd16584482bf66a8f21454ecd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2488
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    PID:928
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    PID:768
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    PID:2032
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1760
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1456
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:1120
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="ZWKQHIWB" set AutomaticManagedPagefile=False
        5⤵
        
        PID:828
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2216
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:1108
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      PID:1264
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:2308
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 6
        6⤵
        Runs ping.exe
        
        PID:2380
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        6⤵
        
        PID:1544
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 16 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 16 > nul && "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:2544
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 16
        6⤵
        Runs ping.exe
        
        PID:1952
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:1704
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    PID:1316
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    PID:1276
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
      4⤵
      PID:908
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 9
        5⤵
        Runs ping.exe
        
        PID:2092
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:1636
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\Admin\Music\rot.exe"
      4⤵
      PID:1016
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 12
        5⤵
        Runs ping.exe
        
        PID:2688
    - - C:\Users\Admin\Music\rot.exe
        
        "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:2680
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:868

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic ComputerSystem get Domain
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 12
1⤵
- Runs ping.exe
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
41.1MB

MD5
f90c37c55191825d74e56c91f1debe5a

SHA1
7e0e53d48d5b37fd8c7a4362a7dacfcf647493c8

SHA256
71644c46f40984af6c3ea9b9772b9935b9f8df28a3b869a928594c0b1ecec62b

SHA512
5965314c5d13ea56d37694a34c5c41ee6162902d5777de247ba7f7f9cd9dbf434113e36479aad128d5adbb8e89324f6289b121a35551614f19a78270708cb5f4

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe

Filesize
40.5MB

MD5
9af3ecfa6403820048644be9352dc50d

SHA1
7317abc2c9434c575f3239b60e4ccfba49bb0645

SHA256
1ab2ed42501f2a0d00b26c93e07e99523cdf606f6a49c580be59bb15c1287bfb

SHA512
ec93a95472d73b60448be84005e0eb9e9e585ac611f5bcc1e0b4f1efbf61d7522794467fa43890367ba1aa97153f2b1c6b06fa0409313cc702f29afbbda920b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
39.2MB

MD5
f201e9ae3703c77974503d1fda567148

SHA1
dd74c3befe878b5605b22f132059517f8505978b

SHA256
dd1d66e0263a7f663438f86fff30e74cfd7d392f3df2a6bb61817fb8c704bb27

SHA512
0334b0746d85c4030055eeebba41f5e58ee68a227f807e666cf33f7161293243881d4b96c5a5f1e281a1450aabd2fe0a26c4d71b7ff7c89317c176bd9485569f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
52.0MB

MD5
d02a839c963de78c4b7b17c0ef6d7767

SHA1
b64d4890c8a78db61683707802af006539e0d980

SHA256
2bf69e4a9335ca6a78caba1d6882f00e31369c8d886f0b7d6275c95f23944a15

SHA512
66aa64e49b34821fb39b1ee47d66046baefe202f8608f861b6888080115f0cde6061926950c42c1230bd8893370439435af16e707599453c0efb06c11f84e80a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HM25U330OS5A7OCKNS3X.temp

Filesize
7KB

MD5
3b4c9d5dfbbd1392fe1409f4626c3d78

SHA1
f8b7d82d009b9c23b1eefa662f68456b55a7b1da

SHA256
7d33ea394aff90833141ff1e3dc471ac1f2d4115ae81bcc439a2870dd1046b14

SHA512
87d9d884eb00f11617fcee5d04cbfe415f9e9931055d311bfd5fceece4961c79a5df62ebe8fe8dbe85c051fa0c05c953417d7503107f6d7fd441049f70a93dc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3b4c9d5dfbbd1392fe1409f4626c3d78

SHA1
f8b7d82d009b9c23b1eefa662f68456b55a7b1da

SHA256
7d33ea394aff90833141ff1e3dc471ac1f2d4115ae81bcc439a2870dd1046b14

SHA512
87d9d884eb00f11617fcee5d04cbfe415f9e9931055d311bfd5fceece4961c79a5df62ebe8fe8dbe85c051fa0c05c953417d7503107f6d7fd441049f70a93dc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3b4c9d5dfbbd1392fe1409f4626c3d78

SHA1
f8b7d82d009b9c23b1eefa662f68456b55a7b1da

SHA256
7d33ea394aff90833141ff1e3dc471ac1f2d4115ae81bcc439a2870dd1046b14

SHA512
87d9d884eb00f11617fcee5d04cbfe415f9e9931055d311bfd5fceece4961c79a5df62ebe8fe8dbe85c051fa0c05c953417d7503107f6d7fd441049f70a93dc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3b4c9d5dfbbd1392fe1409f4626c3d78

SHA1
f8b7d82d009b9c23b1eefa662f68456b55a7b1da

SHA256
7d33ea394aff90833141ff1e3dc471ac1f2d4115ae81bcc439a2870dd1046b14

SHA512
87d9d884eb00f11617fcee5d04cbfe415f9e9931055d311bfd5fceece4961c79a5df62ebe8fe8dbe85c051fa0c05c953417d7503107f6d7fd441049f70a93dc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3b4c9d5dfbbd1392fe1409f4626c3d78

SHA1
f8b7d82d009b9c23b1eefa662f68456b55a7b1da

SHA256
7d33ea394aff90833141ff1e3dc471ac1f2d4115ae81bcc439a2870dd1046b14

SHA512
87d9d884eb00f11617fcee5d04cbfe415f9e9931055d311bfd5fceece4961c79a5df62ebe8fe8dbe85c051fa0c05c953417d7503107f6d7fd441049f70a93dc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3b4c9d5dfbbd1392fe1409f4626c3d78

SHA1
f8b7d82d009b9c23b1eefa662f68456b55a7b1da

SHA256
7d33ea394aff90833141ff1e3dc471ac1f2d4115ae81bcc439a2870dd1046b14

SHA512
87d9d884eb00f11617fcee5d04cbfe415f9e9931055d311bfd5fceece4961c79a5df62ebe8fe8dbe85c051fa0c05c953417d7503107f6d7fd441049f70a93dc7

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
30.7MB

MD5
ea6a3dd88aebc161e47e3c8c5b14cf21

SHA1
42cba2c87c4d12e33be9d1da672bdc5e048ddcf8

SHA256
49ad9949c944cbf9a944ac447e6fd429308098ffb7b628f7a091e7bd619c7550

SHA512
515f99572ea64951490ff92a8be4abcf10bd9a2e743d65d0c529d46b1b3f3ec379d1e5a6f2b1fbcc39e6826ff2b92c76b6d3971ca95a9f6d17c5a34e4fc870cf

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
29.4MB

MD5
81a82de51526e799e07ae3732b897ae9

SHA1
9117bb75f0e998a24677eafdcc3fb0a303da1409

SHA256
44b5424be10b3f98b07c6773b42ed875262fd7847d7bc4a015798f554e7dce61

SHA512
8aa54f9d41c1dd51742fef151822b6b8d71b6f047be57da398f6d5c4895c16fb5ffd651965d7d95e1239d12a8bc67fbe724e79ac42e55299fde7fe9ea0dae5e4

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
28.1MB

MD5
274be37d0ff73f869bbfd04fea59596e

SHA1
046769adc81a9833894cdb9288db8697b98fbee5

SHA256
7478bab1e1856153e95740f3dbe779bbc77362b2e603416e94f8fbbf4b7d6b2c

SHA512
bed8e0a031123574da78137e2ed20a639bad97f463a0bdbca68c9d4b27325052e83d1dd2e0b326224709f314682541ab9126182ebea6f160f49e546b74bf6c91

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe

Filesize
42.1MB

MD5
525c4d920c43629103bddada4b58d5a5

SHA1
bcc4f7a17c7b4d15aaf0f21fd859fd369eef7b61

SHA256
37a19de8917995ff0f48182ed933ecb3e7d5c24f9ee59b1163e679d44de3260e

SHA512
a05fe6986b878f61d198e74bc2d5f98bd104392d6bc728dd523d1563cce2b2a2ee880cbf5d6de9a1ebcbc5509b424ed782ed1b5558f167212066eaeae874523d

Download Submit
\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
41.7MB

MD5
78fbcc73c2fa51f08cc53d3282675c47

SHA1
027b131b874bda7d4f0abd9e4a3dfbbf5b0f2a21

SHA256
756421eba22fc39753067bf02863f2234150c3addc98352907be08b90a8b3e72

SHA512
ee497ddc8d96e8bc6bbf0e21d254ffba3dbfd0db167b3b61be31251b12418b52a3b3a5661bbb633da83afd338607edbb6085531c974d79ea80c34eb1cc2d380c

Download Submit
\Users\Admin\Music\rot.exe

Filesize
26.8MB

MD5
f830e2d2afae69b19c392f1fd99ecfb8

SHA1
2bc5ad267c98bd1acceb5625f5ca455e7986aa84

SHA256
7257d96e0ace5f23b3a45f30f1c0ea179d1f2dcebb0a336ac398612829c3e52e

SHA512
b519d24add9e02d8f49f2100b54e22559f5fa157b706e271dba12de03fb5638c5a1a342061d1291472d608a476dcb0b047ec27ccb09a628e137796d720a7ef33

Download Submit
memory/768-73-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/768-72-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/768-68-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/768-69-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/768-70-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/768-71-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/868-142-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/868-148-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/868-154-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/868-153-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/868-147-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/868-151-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/868-150-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/868-144-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/868-140-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/868-138-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/868-136-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/928-57-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download
memory/928-62-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download
memory/928-59-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/928-60-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/928-58-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download
memory/928-61-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/1264-122-0x0000000070600000-0x0000000070CEE000-memory.dmp

Filesize
6.9MB

Download
memory/1264-113-0x0000000000100000-0x00000000002B6000-memory.dmp

Filesize
1.7MB

Download
memory/1264-115-0x0000000070600000-0x0000000070CEE000-memory.dmp

Filesize
6.9MB

Download
memory/1264-118-0x00000000006B0000-0x00000000006F6000-memory.dmp

Filesize
280KB

Download
memory/1264-119-0x0000000070600000-0x0000000070CEE000-memory.dmp

Filesize
6.9MB

Download
memory/1276-120-0x0000000070600000-0x0000000070CEE000-memory.dmp

Filesize
6.9MB

Download
memory/1276-114-0x0000000001120000-0x00000000012D6000-memory.dmp

Filesize
1.7MB

Download
memory/1276-121-0x0000000070600000-0x0000000070CEE000-memory.dmp

Filesize
6.9MB

Download
memory/1276-117-0x0000000000350000-0x0000000000396000-memory.dmp

Filesize
280KB

Download
memory/1276-116-0x0000000070600000-0x0000000070CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2032-103-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2032-104-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2032-101-0x0000000073FB0000-0x000000007455B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-102-0x0000000073FB0000-0x000000007455B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-110-0x0000000073FB0000-0x000000007455B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-105-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2536-27-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2536-28-0x0000000001CD0000-0x0000000001D10000-memory.dmp

Filesize
256KB

Download
memory/2536-29-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2536-26-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2564-85-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/2564-84-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/2564-76-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/2564-78-0x0000000000560000-0x0000000000592000-memory.dmp

Filesize
200KB

Download
memory/2636-47-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/2636-46-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/2636-51-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/2636-49-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/2636-48-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/2636-50-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/2668-91-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2668-88-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/2668-86-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2668-82-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/2680-131-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-149-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-130-0x00000000012B0000-0x0000000001466000-memory.dmp

Filesize
1.7MB

Download
memory/2680-132-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-135-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download
memory/2680-133-0x0000000000920000-0x000000000093A000-memory.dmp

Filesize
104KB

Download
memory/2680-146-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download
memory/2680-134-0x0000000000990000-0x0000000000996000-memory.dmp

Filesize
24KB

Download
memory/2752-38-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2752-35-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download
memory/2752-37-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2752-39-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2752-36-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download
memory/2752-40-0x0000000073F80000-0x000000007452B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads