Overview

overview

10

Static

static

10

4Malware.zip

windows10-2004-x64

10

Adobe-GenP-3.0.exe

windows10-2004-x64

1

Qblqxvgkmiptnw.exe

windows10-2004-x64

10

Set-up.exe

windows10-2004-x64

1

winnnn.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4Malware.zip

  • Size

    6.1MB

  • Sample

    231209-bmx3jsdhcj

  • MD5

    bea2ac31ab219cbbc749b0aeeff7e872

  • SHA1

    2edc2a00dde9c973fce77348e07310558855dabf

  • SHA256

    2cd40802f898dd95f0756aa6c44263c38131379d0db2da72f37bfa8f53668412

  • SHA512

    e0f67143df31d2701e3ec21d3eaf6d74725de1559963c2713c4e0f48264cdab544536e08278d86ec3c0b2f7494c06a5ebe8a24d19842cfcde0f8157e729c889f

  • SSDEEP

    196608:zjgzmPgjU3TJJ5/BAyG8jCz/atKPHGnYb:vbEUDvnGLjatKfGYb

Score
10/10
formbookmodiloaderquasarwindows updatekmgepersistenceratspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Windows Update

C2

141.98.112.144:4782

192.168.1.1:4782
Mutex

43e4244e-f515-4759-a0f9-81d1dfceed2f

Attributes
  • encryption_key

    535B385BFDC78C4C5A8DEE5D1390F4841681628D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    SubDir

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Targets

    • Target

      4Malware.zip

    • Size

      6.1MB

    • MD5

      bea2ac31ab219cbbc749b0aeeff7e872

    • SHA1

      2edc2a00dde9c973fce77348e07310558855dabf

    • SHA256

      2cd40802f898dd95f0756aa6c44263c38131379d0db2da72f37bfa8f53668412

    • SHA512

      e0f67143df31d2701e3ec21d3eaf6d74725de1559963c2713c4e0f48264cdab544536e08278d86ec3c0b2f7494c06a5ebe8a24d19842cfcde0f8157e729c889f

    • SSDEEP

      196608:zjgzmPgjU3TJJ5/BAyG8jCz/atKPHGnYb:vbEUDvnGLjatKfGYb

    Score
    10/10
    formbookmodiloaderquasarwindows updatekmgepersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Formbook payload

      rat

    • ModiLoader Second Stage

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      Adobe-GenP-3.0.exe

    • Size

      1.5MB

    • MD5

      ed76bdafd8d0aeb9429dd3b09d506c1a

    • SHA1

      7a2ffe3a4ff3c0b73eb0205b98cca46fe2cfc1a5

    • SHA256

      dd0927db589aa8ebd7b81988de635cecfc55da14821f2a3284af2809c16169be

    • SHA512

      34cfc2d036c695a8a09992759a777338111392016675484ae4a80490c12ee86ffc1c1a7f178c95aac8d61bd98c0d4b2e35437c11c369c7b7bdedea94ede3c29b

    • SSDEEP

      24576:TrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvajHeqtGHhqGx/7m4gDXww7V:T2EYTb8atv1orq+pEiSDTj1VyvBajHej

    Score
    1/10
    behavioral2

    • Target

      Qblqxvgkmiptnw.exe

    • Size

      1.8MB

    • MD5

      5367274c27e38bafd0a7802ff489e020

    • SHA1

      10369f258a0e27088d74713c71030de2d2a97854

    • SHA256

      6d2fc83551518ed142a7b984c38f47b34fe1a2399914b323fa7ad23158a2e0a3

    • SHA512

      bb56b44babf6fbdba52565d8d721a83f105918bd3db1364df9f1b786b8a1daef3a6c412d9b15a388d890b8342d0ecb0fd0548768bf3d9b87662af50a57352744

    • SSDEEP

      24576:nxCxAUDAImqXeE8oqGQCbPEzbjvy27w6tmQ4Xl+gWeq9X9VxHfg8IitnJ0MNd:nx6VDNXr1+vzw6tmQA+qq/H48htnOM/

    Score
    10/10
    formbookmodiloaderkmgepersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Formbook payload

      rat

    • ModiLoader Second Stage

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      Set-up.exe

    • Size

      7.3MB

    • MD5

      03663c723e15534e29f315af658c9d4a

    • SHA1

      615952faf3d9153ff8eb356780867f22bd638835

    • SHA256

      df028bfa49f56f10268fdebb92786896303ea7a4b885bc93d982beb43375e469

    • SHA512

      fb497968b1ad152e63adf5ea43b57b1b6ddf9c453597cbd54c5994edd4b7f17d54bb51f9b653578b3995e5b128455b5be048d1528e19d6be3fffd966d93ff13f

    • SSDEEP

      98304:8z16s9EwkidrwQwPdz9u/ZZmDZJErFXQbZT7wIX0o5:8z16gBrd3gu/XmDZiF0tr

    Score
    1/10
    behavioral4

    • Target

      winnnn.exe

    • Size

      3.1MB

    • MD5

      94b66c3142933d8414614b25129de4f6

    • SHA1

      77f04ff0308d49aadd34c5082b691118b26fe949

    • SHA256

      8b757b585ccc9a12ad57fe10fa901d3ab17ee33b7475978c891cae4f1fb00a84

    • SHA512

      afdaab59cddc58d560f81dc959278984b2352a91cb5132d577f7e0d562456162807178fb7dab47578511ab5a2f1630d2f65fcdad84d167ccb862587d3845727d

    • SSDEEP

      49152:DvrI22SsaNYfdPBldt698dBcjH4hRJ6abR3LoGdh0THHB72eh2NT:DvU22SsaNYfdPBldt6+dBcjH4hRJ60

    Score
    10/10
    quasarwindows updatespywaretrojan
    behavioral5

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

2
T1053

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

2
T1053

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

2
T1053

Defense Evasion

Modify Registry

6
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks