Analysis
-
max time kernel
118s -
max time network
236s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
10-11-2023 23:35
General
-
Target
NEAS.0a65e88d8ac5d6a9d718703963ab0180.exe
-
Size
2.0MB
-
MD5
0a65e88d8ac5d6a9d718703963ab0180
-
SHA1
4bb05b85b2b7869f8920708809f381e6ac14bbbd
-
SHA256
ee243488f82668e8ee37055eaedc72240d10f5ce9b1c0e064104c3d3e3d7961a
-
SHA512
8398838a15fec4dd3dea669fa3e9a3c2a0ed232327d6b3273a9e7cff381d3a12a90156913a06f56a0fd86bf6e5f3814ed815f9f4c868df2561aab5cf6316c4a3
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYd:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YH
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 8 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0a65e88d8ac5d6a9d718703963ab0180.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0a65e88d8ac5d6a9d718703963ab0180.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0a65e88d8ac5d6a9d718703963ab0180.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0a65e88d8ac5d6a9d718703963ab0180.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD5ba25a2816801ff0c857fa0960aa1e56e
SHA1e79a0c763349fe16e1e621a16c95ec409d3a85e8
SHA256de592c92e08e74ba6b2a9be688bfa0bb97380691c2bede2ea0f814246633dd3c
SHA5126d8ae1eb99bb9aeca3d057213d55f99488fad297390ad622f912a681c96847c19a4a00bf96936184c6a617529aa6d36ccc5db126335857d2552fcdf73363b9da
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD5ba25a2816801ff0c857fa0960aa1e56e
SHA1e79a0c763349fe16e1e621a16c95ec409d3a85e8
SHA256de592c92e08e74ba6b2a9be688bfa0bb97380691c2bede2ea0f814246633dd3c
SHA5126d8ae1eb99bb9aeca3d057213d55f99488fad297390ad622f912a681c96847c19a4a00bf96936184c6a617529aa6d36ccc5db126335857d2552fcdf73363b9da
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD5ba25a2816801ff0c857fa0960aa1e56e
SHA1e79a0c763349fe16e1e621a16c95ec409d3a85e8
SHA256de592c92e08e74ba6b2a9be688bfa0bb97380691c2bede2ea0f814246633dd3c
SHA5126d8ae1eb99bb9aeca3d057213d55f99488fad297390ad622f912a681c96847c19a4a00bf96936184c6a617529aa6d36ccc5db126335857d2552fcdf73363b9da
-
memory/1716-33-0x0000000000A20000-0x0000000000A21000-memory.dmpFilesize
4KB
-
memory/1716-36-0x0000000000980000-0x0000000000A1C000-memory.dmpFilesize
624KB
-
memory/1716-30-0x0000000000980000-0x0000000000A1C000-memory.dmpFilesize
624KB
-
memory/1716-44-0x0000000000980000-0x0000000000A1C000-memory.dmpFilesize
624KB
-
memory/2244-80-0x0000000072990000-0x0000000073140000-memory.dmpFilesize
7.7MB
-
memory/2244-73-0x0000000072990000-0x0000000073140000-memory.dmpFilesize
7.7MB
-
memory/2244-74-0x0000000005570000-0x0000000005580000-memory.dmpFilesize
64KB
-
memory/2856-81-0x0000000003640000-0x0000000003641000-memory.dmpFilesize
4KB
-
memory/3284-42-0x00000000054F0000-0x0000000005500000-memory.dmpFilesize
64KB
-
memory/3284-29-0x0000000005AD0000-0x0000000006074000-memory.dmpFilesize
5.6MB
-
memory/3284-47-0x0000000006620000-0x0000000006632000-memory.dmpFilesize
72KB
-
memory/3284-25-0x0000000072990000-0x0000000073140000-memory.dmpFilesize
7.7MB
-
memory/3284-24-0x0000000000AA0000-0x0000000000AFE000-memory.dmpFilesize
376KB
-
memory/3284-45-0x0000000005A60000-0x0000000005AC6000-memory.dmpFilesize
408KB
-
memory/3284-43-0x0000000072990000-0x0000000073140000-memory.dmpFilesize
7.7MB
-
memory/3284-78-0x0000000006A60000-0x0000000006A9C000-memory.dmpFilesize
240KB
-
memory/3284-77-0x00000000054F0000-0x0000000005500000-memory.dmpFilesize
64KB
-
memory/3284-41-0x00000000055C0000-0x0000000005652000-memory.dmpFilesize
584KB
-
memory/3840-18-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3840-38-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3952-75-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/3952-76-0x00000000006C0000-0x000000000075C000-memory.dmpFilesize
624KB
-
memory/3952-62-0x00000000006C0000-0x000000000075C000-memory.dmpFilesize
624KB
-
memory/3952-58-0x00000000006C0000-0x000000000075C000-memory.dmpFilesize
624KB
-
memory/4592-19-0x0000000001580000-0x0000000001581000-memory.dmpFilesize
4KB