Overview

overview

10

Static

static

10

4Malware.zip

windows10-2004-x64

10

Adobe-GenP-3.0.exe

windows10-2004-x64

1

Qblqxvgkmiptnw.exe

windows10-2004-x64

10

Set-up.exe

windows10-2004-x64

1

winnnn.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    519s
  • max time network
    518s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2023 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4Malware.zip

  • Size

    6.1MB

  • MD5

    bea2ac31ab219cbbc749b0aeeff7e872

  • SHA1

    2edc2a00dde9c973fce77348e07310558855dabf

  • SHA256

    2cd40802f898dd95f0756aa6c44263c38131379d0db2da72f37bfa8f53668412

  • SHA512

    e0f67143df31d2701e3ec21d3eaf6d74725de1559963c2713c4e0f48264cdab544536e08278d86ec3c0b2f7494c06a5ebe8a24d19842cfcde0f8157e729c889f

  • SSDEEP

    196608:zjgzmPgjU3TJJ5/BAyG8jCz/atKPHGnYb:vbEUDvnGLjatKfGYb

Score
10/10
formbookmodiloaderquasarwindows updatekmgepersistenceratspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Windows Update

C2

141.98.112.144:4782

192.168.1.1:4782
Mutex

43e4244e-f515-4759-a0f9-81d1dfceed2f

Attributes
  • encryption_key

    535B385BFDC78C4C5A8DEE5D1390F4841681628D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    SubDir

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Formbook payload 4 IoCs
    rat
  • ModiLoader Second Stage 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3120
    • C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\4Malware.zip
      2⤵
        PID:1992
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /7
        2⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4292
      • C:\Users\Admin\Desktop\winnnn.exe
        "C:\Users\Admin\Desktop\winnnn.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:2568
      • C:\Users\Admin\Desktop\Adobe-GenP-3.0.exe
        "C:\Users\Admin\Desktop\Adobe-GenP-3.0.exe"
        2⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:3904
      • C:\Users\Admin\Desktop\Qblqxvgkmiptnw.exe
        "C:\Users\Admin\Desktop\Qblqxvgkmiptnw.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4360
        • C:\Windows\SysWOW64\colorcpl.exe
          C:\Windows\System32\colorcpl.exe
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2268
      • C:\Users\Admin\Desktop\Set-up.exe
        "C:\Users\Admin\Desktop\Set-up.exe"
        2⤵
        • Modifies Internet Explorer settings
        PID:4500
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:4852
        • C:\Windows\SysWOW64\WWAHost.exe
          "C:\Windows\SysWOW64\WWAHost.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4304
          • C:\Windows\SysWOW64\cmd.exe
            /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
            3⤵
              PID:1412
            • C:\Program Files\Mozilla Firefox\Firefox.exe
              "C:\Program Files\Mozilla Firefox\Firefox.exe"
              3⤵
                PID:4856
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:1432

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Scheduled Task/Job

            1
            T1053

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Scheduled Task/Job

            1
            T1053

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Scheduled Task/Job

            1
            T1053

            Defense Evasion

            Modify Registry

            2
            T1112

            Credential Access

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Query Registry

            2
            T1012

            Peripheral Device Discovery

            1
            T1120

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\DB1
              Filesize

              46KB

              MD5

              02d2c46697e3714e49f46b680b9a6b83

              SHA1

              84f98b56d49f01e9b6b76a4e21accf64fd319140

              SHA256

              522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

              SHA512

              60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

              Download Submit
            • C:\Users\Admin\AppData\Roaming\LK3BNUQ2\LK3logim.jpeg
              Filesize

              121KB

              MD5

              124133c6e6ba25907b458c6b9683a27d

              SHA1

              2f20c74116914f65992ed7b01d80a81419d0b189

              SHA256

              73a78a7ae2ed7fae9c9ae7cdf8cd444500a18e3fa540480700e2e7aa839d903b

              SHA512

              3197299669daa5ab833c6102b94799647b9bd3f41f6dc8e9e686f93662f9f77f3979a5d053b0c4cbb4db17aa5cc7ad56284606d5f5d48e1f9f578bc3194b8345

              Download Submit
            • C:\Users\Admin\AppData\Roaming\LK3BNUQ2\LK3logrf.ini
              Filesize

              40B

              MD5

              2f245469795b865bdd1b956c23d7893d

              SHA1

              6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

              SHA256

              1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

              SHA512

              909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

              Download Submit
            • C:\Users\Admin\AppData\Roaming\LK3BNUQ2\LK3logrg.ini
              Filesize

              38B

              MD5

              4aadf49fed30e4c9b3fe4a3dd6445ebe

              SHA1

              1e332822167c6f351b99615eada2c30a538ff037

              SHA256

              75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

              SHA512

              eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

              Download Submit
            • C:\Users\Admin\AppData\Roaming\LK3BNUQ2\LK3logri.ini
              Filesize

              40B

              MD5

              d63a82e5d81e02e399090af26db0b9cb

              SHA1

              91d0014c8f54743bba141fd60c9d963f869d76c9

              SHA256

              eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

              SHA512

              38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

              Download Submit
            • C:\Users\Admin\AppData\Roaming\LK3BNUQ2\LK3logrv.ini
              Filesize

              872B

              MD5

              bbc41c78bae6c71e63cb544a6a284d94

              SHA1

              33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

              SHA256

              ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

              SHA512

              0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

              Download Submit
            • C:\Users\Public\Qblqxvgk.url
              Filesize

              100B

              MD5

              4ca0baabe52b332dd13ef0207cef3a2d

              SHA1

              83d38e7abec3bc4ef4d9d83454a48c7b9c7fcfbf

              SHA256

              e6fe9ab85ea1df2c1cd9f2367fb5beef6df66ece574b3dc513ed42d76d10a349

              SHA512

              ac29154d38e0138d3acdeb58a868fe24d2e6108975ed3e850e9d68430d4f9067997041eb4fe81ec4b6970d98cf4b543e857d61e25f6e5ff045895213e574fa40

              Download Submit
            • memory/1812-15-0x00007FFAB7D00000-0x00007FFAB87C1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/1812-28-0x000000001BF90000-0x000000001BFE0000-memory.dmp
              Filesize

              320KB

              Download
            • memory/1812-43-0x00007FFAB7D00000-0x00007FFAB87C1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/1812-14-0x0000000000470000-0x0000000000794000-memory.dmp
              Filesize

              3.1MB

              Download
            • memory/1812-31-0x000000001C020000-0x000000001C05C000-memory.dmp
              Filesize

              240KB

              Download
            • memory/1812-16-0x000000001B2A0000-0x000000001B2B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/1812-30-0x000000001BF60000-0x000000001BF72000-memory.dmp
              Filesize

              72KB

              Download
            • memory/1812-29-0x000000001C0A0000-0x000000001C152000-memory.dmp
              Filesize

              712KB

              Download
            • memory/2268-45-0x0000000016700000-0x0000000016714000-memory.dmp
              Filesize

              80KB

              Download
            • memory/2268-41-0x00000000027A0000-0x0000000002AEA000-memory.dmp
              Filesize

              3.3MB

              Download
            • memory/2268-44-0x0000000004650000-0x0000000005650000-memory.dmp
              Filesize

              16.0MB

              Download
            • memory/2268-39-0x0000000004650000-0x0000000005650000-memory.dmp
              Filesize

              16.0MB

              Download
            • memory/3120-83-0x000000000FAF0000-0x000000000FC34000-memory.dmp
              Filesize

              1.3MB

              Download
            • memory/3120-72-0x000000000FAF0000-0x000000000FC34000-memory.dmp
              Filesize

              1.3MB

              Download
            • memory/3120-74-0x000000000FAF0000-0x000000000FC34000-memory.dmp
              Filesize

              1.3MB

              Download
            • memory/3120-46-0x0000000013830000-0x000000001397C000-memory.dmp
              Filesize

              1.3MB

              Download
            • memory/4292-12-0x0000013A7D420000-0x0000013A7D421000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4292-9-0x0000013A7D420000-0x0000013A7D421000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4292-10-0x0000013A7D420000-0x0000013A7D421000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4292-11-0x0000013A7D420000-0x0000013A7D421000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4292-2-0x0000013A7D420000-0x0000013A7D421000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4292-6-0x0000013A7D420000-0x0000013A7D421000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4292-7-0x0000013A7D420000-0x0000013A7D421000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4292-8-0x0000013A7D420000-0x0000013A7D421000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4292-1-0x0000013A7D420000-0x0000013A7D421000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4292-0-0x0000013A7D420000-0x0000013A7D421000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4304-51-0x00000000001C0000-0x00000000001EF000-memory.dmp
              Filesize

              188KB

              Download
            • memory/4304-69-0x0000000001000000-0x0000000001093000-memory.dmp
              Filesize

              588KB

              Download
            • memory/4304-53-0x00000000001C0000-0x00000000001EF000-memory.dmp
              Filesize

              188KB

              Download
            • memory/4304-52-0x00000000012C0000-0x000000000160A000-memory.dmp
              Filesize

              3.3MB

              Download
            • memory/4304-75-0x0000000001000000-0x0000000001093000-memory.dmp
              Filesize

              588KB

              Download
            • memory/4304-50-0x00000000006E0000-0x00000000007BC000-memory.dmp
              Filesize

              880KB

              Download
            • memory/4304-47-0x00000000006E0000-0x00000000007BC000-memory.dmp
              Filesize

              880KB

              Download
            • memory/4360-21-0x0000000004000000-0x0000000005000000-memory.dmp
              Filesize

              16.0MB

              Download
            • memory/4360-34-0x0000000000400000-0x00000000005D7000-memory.dmp
              Filesize

              1.8MB

              Download
            • memory/4360-32-0x0000000004000000-0x0000000005000000-memory.dmp
              Filesize

              16.0MB

              Download
            • memory/4360-17-0x0000000002230000-0x0000000002231000-memory.dmp
              Filesize

              4KB

              Download