Analysis
-
max time kernel
7s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
-
submitted
02-11-2023 16:42
General
-
Target
NEAS.435d784177be0786b43390ebfa6db620.exe
-
Size
2.0MB
-
MD5
435d784177be0786b43390ebfa6db620
-
SHA1
fb1c42eeaa2a4dc4770ff65473e9cb189a1722ca
-
SHA256
c6b9b3f728ab67474196acf152c59771fb3e227820b154ed16b45c71eea1c258
-
SHA512
27681572f28c18b0a03a750b972556955abc0a13d2e79b057dfb34efb08dce3a04700ab188c6612366ff9f48314e84934b6110dfbe7761dfa76c38e8eecbc95f
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYQ:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yi
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 11 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.435d784177be0786b43390ebfa6db620.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.435d784177be0786b43390ebfa6db620.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vt0WcilAP2Ue.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 22684⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\NEAS.435d784177be0786b43390ebfa6db620.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.435d784177be0786b43390ebfa6db620.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4596 -ip 45961⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.logFilesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
C:\Users\Admin\AppData\Local\Temp\Vt0WcilAP2Ue.batFilesize
208B
MD58ef03d1641af7cf412b5d892776c9a5a
SHA1b9a7a48ba1c428d64b741ebaa741e030c0d7bbf9
SHA256037b6555edcd2065cb52d8fabb177f381e06c06b95b2526548be84a5eb1c8074
SHA512a469581895bb17071bcd1a441e5ff355534ce6091a8e8581a004dd7465c82b4624288f87d6de0ff476d27e96103a72d8fec57a6c002a4ff2ab803403e3d7011b
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\Logs\11-02-2023Filesize
224B
MD5c537631e1e625df7a50cd316f6e47cbf
SHA198d3617fbec585c499b329705436d331199eacf1
SHA2565f0fb800365a0dc1e04178a62f415f8558b4d2f79352d07b5708cd6a32b5ecad
SHA512d64624c8b28cd199e4952c111d80198859eeaa8fb9cb375807de9bbb332bee7b1a25540dbd30c72ef1991cfa0b60ef3d455f147fcd4780ce32d190d6bb83b0bc
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD5e261a86054acf5d4daebc961af9f199f
SHA10795810946d97c399e17a63ca3d287b2627b4655
SHA256f9a9d0ac8f9f55b608b0262c0620206949fff73d47dca913eca8f4057f79628a
SHA5123934a3345f066ccc6250a7bf341f8fef85738d38ddfbc701c2a7ab4481641bbec882b6fd666a28fd68814fe61f58993caa1885c702a880ea9bfc98c06b06b2c8
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD5e261a86054acf5d4daebc961af9f199f
SHA10795810946d97c399e17a63ca3d287b2627b4655
SHA256f9a9d0ac8f9f55b608b0262c0620206949fff73d47dca913eca8f4057f79628a
SHA5123934a3345f066ccc6250a7bf341f8fef85738d38ddfbc701c2a7ab4481641bbec882b6fd666a28fd68814fe61f58993caa1885c702a880ea9bfc98c06b06b2c8
-
memory/2324-88-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/2324-94-0x0000000000010000-0x00000000000AC000-memory.dmpFilesize
624KB
-
memory/2324-90-0x0000000000010000-0x00000000000AC000-memory.dmpFilesize
624KB
-
memory/2516-24-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2516-34-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3252-25-0x0000000000B70000-0x0000000000BCE000-memory.dmpFilesize
376KB
-
memory/3252-41-0x00000000066F0000-0x000000000672C000-memory.dmpFilesize
240KB
-
memory/3252-19-0x00000000736F0000-0x0000000073EA0000-memory.dmpFilesize
7.7MB
-
memory/3252-32-0x0000000005B40000-0x00000000060E4000-memory.dmpFilesize
5.6MB
-
memory/3252-48-0x00000000736F0000-0x0000000073EA0000-memory.dmpFilesize
7.7MB
-
memory/3252-37-0x00000000054E0000-0x0000000005572000-memory.dmpFilesize
584KB
-
memory/3252-38-0x0000000005430000-0x0000000005440000-memory.dmpFilesize
64KB
-
memory/3252-39-0x0000000005690000-0x00000000056F6000-memory.dmpFilesize
408KB
-
memory/3252-40-0x0000000005AF0000-0x0000000005B02000-memory.dmpFilesize
72KB
-
memory/3520-21-0x0000000001670000-0x0000000001671000-memory.dmpFilesize
4KB
-
memory/3608-85-0x00000000736F0000-0x0000000073EA0000-memory.dmpFilesize
7.7MB
-
memory/3780-62-0x0000000004CA0000-0x0000000004CB0000-memory.dmpFilesize
64KB
-
memory/3780-61-0x00000000736F0000-0x0000000073EA0000-memory.dmpFilesize
7.7MB
-
memory/4240-23-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/4240-22-0x0000000000EE0000-0x0000000000F7C000-memory.dmpFilesize
624KB
-
memory/4596-49-0x00000000736F0000-0x0000000073EA0000-memory.dmpFilesize
7.7MB
-
memory/4596-59-0x00000000736F0000-0x0000000073EA0000-memory.dmpFilesize
7.7MB
-
memory/4596-54-0x0000000005620000-0x0000000005630000-memory.dmpFilesize
64KB
-
memory/4596-50-0x0000000005620000-0x0000000005630000-memory.dmpFilesize
64KB
-
memory/4596-53-0x00000000736F0000-0x0000000073EA0000-memory.dmpFilesize
7.7MB
-
memory/4596-52-0x0000000006DC0000-0x0000000006DCA000-memory.dmpFilesize
40KB