Analysis
-
max time kernel
0s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23-12-2023 01:35
Behavioral task
behavioral1
Sample
Adobe Download Manager.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Adobe Download Manager.exe
Resource
win10v2004-20231215-en
General
-
Target
Adobe Download Manager.exe
-
Size
2.0MB
-
MD5
c04ab7d36b2e6e8175fe2e0fa8dccf14
-
SHA1
6516b7e30fc92ced182230288726e517251db430
-
SHA256
bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413
-
SHA512
c3bc065567b5d302c62c83a67426e465a7000aca9a99d3169c488d54ed9824972e327846109af12314d25ab10180c370468c63b11eb05aac1b3bed7d2110d753
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYP:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YB
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar payload 12 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\windef.exe family_quasar C:\Users\Admin\AppData\Local\Temp\windef.exe family_quasar C:\Users\Admin\AppData\Local\Temp\windef.exe family_quasar behavioral1/memory/2140-41-0x0000000000EB0000-0x0000000000F0E000-memory.dmp family_quasar \Users\Admin\AppData\Local\Temp\windef.exe family_quasar \Users\Admin\AppData\Local\Temp\windef.exe family_quasar C:\Users\Admin\AppData\Local\Temp\windef.exe family_quasar \Users\Admin\AppData\Local\Temp\windef.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe family_quasar behavioral1/memory/2828-60-0x0000000000360000-0x00000000003BE000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe family_quasar \Users\Admin\AppData\Roaming\SubDir\winsock.exe family_quasar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ip-api.com -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 2712 2148 WerFault.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2480 schtasks.exe 948 schtasks.exe 1812 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Adobe Download Manager.exepid process 2216 Adobe Download Manager.exe 2216 Adobe Download Manager.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 1601⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
32KB
MD50d3fbd137993977377a181dc9be9cb23
SHA1706feb5e29c4df48ccad18fde026cad17bbe8f11
SHA25670408762de423114d3d5b1ecae5b40cdb882957db33ee8835eaa5aab9bc7458e
SHA512a2abee53d03ed8145ed0b0d38e26490be5a4f4aadad00c746c6f52838cd58f659ef9c8a018229aa753c3cd22494bb2168a398910eace3905c4f4e34c886e6c8b
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
50KB
MD5d9a46bc5044bb43e3ff93211194a7793
SHA13631ccf86e7bec7b22484f67d34caa3f003adcd7
SHA2565ca228dc26011829eb91e9a944eeb8eefe05adf03e5c281b04c93dc84d6c3858
SHA5128342c2ab4a267a929807a5646e6921372cce702595be4821133fa9cde55d51eec5e658a00ad95c0f030b72badabe6f73f23332ccc4a06e3041bc3a3a95b5895f
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
117KB
MD555ece710a60f75046845a54d2af90166
SHA17d5150227639eaa68bdc66da3f0e57884e00944d
SHA256a0351a4ec1bccd6ebe1ad1b2711fe41cac97e826541dee54502067ed4fab60de
SHA5128d0dd2b2bfa7f22d1a290807dfdaa566910bfd5e3e981aca87a46e99cabd6d65590ebf96dfbab75577215aa2166367275af9945653b149a6adc869fec4e5a9f4
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
29KB
MD55f95d3f0061661ea00bff1f17d837062
SHA14593a4649549d21768457ca0e3169ad6543bb751
SHA256250b9304d13e1ffcd224fecd769ea26300b05b07497b2266f691b4ca3927339e
SHA51263f7b5a4f20580d21b12fecdd746fc34cdc7c97ad14191e90a0e78bba7f6e32cdbd58b34aea2216f70dfb34c8cd8fc3553bd9744e515e2a2f5536b28912191ba
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
28KB
MD5c7de4af91a9da9d4c40d6a2b45852f6c
SHA1fbab0610b0ab335c7d896a9de2a2f7889261e1c2
SHA25610576b515e6482e4570cf4e839e890d3b6d63a05672fe14d6014d1257a871764
SHA51296d0f3af21b41453c4c893fb15d9c7a97d65866f4eb5cd47826623272c721cd61be20b0eb32b36e57d3c36ba351e710fdb0d0a693fb380486cf74afeb62369d3
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
18KB
MD5bee8b62e9dea83b5d5ce26df5e7a40b3
SHA1d27b8a4bf91065f54bee35bb14ad2c3c5071fcd5
SHA2561906babf7a3f11d8321565062cacacfb1a96ef67d25f506497c9e74ff75b2b54
SHA51231261551042c879dac6dc1089c64e7d8435d15822f71636aeb24161c9960d51393b0b30165e07f1eeac5719b59922decd288d1b71913a37cca7ff424286adbda
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
5KB
MD564f63b65544d3521f7dd9dda43bf3b8c
SHA1669a11b036d61c983a81e860864da2020acdbb2a
SHA256704c105076982013ded1f899789c0620b3169b435d8aa2260143c597667f4f84
SHA512155cdcebebb57276d73894daebca806444f3e2b90d258998332663cf31ef9711c6036479a708e1d864076f4a0a30028b041de552989d84d93c8136672e2435d1
-
\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
1KB
MD53b714145a64459db203a962b3e47ba18
SHA1b4093e7777443048f2a36e70d26609b8acd69fe7
SHA2560610c855b67d4eafd3cf32dbba1b4746795774b2a4584d2dbe270a10d2687b13
SHA5128ff5e17d98806a40c669615bfbad036447f5560180bc995b4786710b24025419e42f56c75d058fb90c024e47479c74a26f1745d8e1da92fb1ef6f5234efc935c
-
\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
32KB
MD59814588a640a6556da411c18e53b3ac3
SHA137ee8f5119ea5553904e2c5548f0e00071d36bd2
SHA256d9003b9592874d17ca6b44389b1fefdc4d01ba22ed4e74d68320356424744ca7
SHA512661e0171cf179768415653d7dcf4333155ddc1e9d0b64c9e0e09dd35d56d384674338d049b4dae4c77bd631e51c2ae9420784874aba25f84c865f9b08f197f74
-
\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
5KB
MD53af151487fb30f412d2b7855f3bc5609
SHA1438ce528ef5236604658e1c862def48ecd628ecf
SHA25636154cf596a3431fbbdbfd720411f51b6a683a5b75092bb3a76a9bc672440eb1
SHA512faa302775f42233e8b2803b2649c209780c3dfc9c7845c5f013671579d5d5817c4b50252a5ecd49b6d3225248e7d891ba22eb54564844a7d397023c178530230
-
\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
13KB
MD57925a7ee380054fe84cd29fbee4cb678
SHA1116eecdc2e4c3a369a4025fc5bcc12878eac52ba
SHA256a20cfa7c2c561d9d35019d1e683868a3f37b170cb6688fa1edcfddbaa8040554
SHA5122c82c4a479adbafcd057a548a60f2a0797b226599dc41ed2bd3cd3b2dd331f48c02ec59f284fe42ba6524dfb7269e8850a4b86526421822c271ed4e783fdc19d
-
\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
38KB
MD572affead8ce7b87ae18677f87aa48dc7
SHA15565f9697d06deb666ce41dc2c30babed90e3555
SHA256f7ec31f5db0df19d3186801c22074c37789f3e7dea13b3c22b62f9571e40bfc6
SHA512c1c2efbb7fbb1de91ff48b841e8a31db6dacdf175d3cc4fc96d6dd3c2bf2edcf55b22db350d21422367c0701cc4cd6cd497faf64211efdba24ab121656d172af
-
\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
50KB
MD55f05933a0dfe58cb5b70c3cf2835c109
SHA10a5f1a081a63b2e6a52b58464f6087a3eae0f2de
SHA256d96fb84fa7e697cb508a00d04d71e5b1f13bfa36842ae32da783d9d99714cc12
SHA51261e282eee6ea46b5096bfb3498cfe61445a0b74e992b2deec5a79b29c263c7146d68d3804f2fd9d943ff3e54c064a84b2963d48fc09f03efa4da693910fc62e3
-
\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
43KB
MD5680189c2dfcb56685ca7ea3df29887a4
SHA178d79b2362e559cccc578f9aa009246d32ef6ff1
SHA256e1ce174b34642a7dea9f5715e9e8c6fd3d1f8a4bac4259daeedeb688f5349a0a
SHA5128d09cef9121e3edd6dca01910cdaf9e0a7b51be93a06152613680575ba982506ca6570b553b2d151bb43639b004af10fce639f0bc92296d4997b4a43932942e6
-
\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
23KB
MD522c68473579a0ba1f5e58f38ec82a819
SHA1961019fc330ec8ced9a5a80231dcea587b052036
SHA2566914d2567d9403e8b4919a3a00b8679db18106cd6d57098fe636d8c951061dfd
SHA5129371d190c24f93b72bbf25e8e67bf139c18340bc95a3598ed1ece57fc1e302794c2aea5ea9212b377a715c8f0b0f9ddc7aa9d954797e2bbd923adf94d4f0c898
-
\Users\Admin\AppData\Local\Temp\windef.exeFilesize
23KB
MD53b4c63cd2ed788593fb129deb3c9c1df
SHA14ef2e748252adc2c218674362dd7f78a956b4307
SHA256e8a37b7a25b39b1a0765f4b5d0f479eced3b761183e62918ee2d57da956d8a87
SHA51273d3292202906d94a6268cff3bdb2fcb1b83f4833a7a11f3a0ee426420a4aa8de81b65f2cb28bc916516a81b717b8ba04f772e52a3e532c9f34c568a3cc3eec0
-
\Users\Admin\AppData\Local\Temp\windef.exeFilesize
75KB
MD50dd71afdf4cc2375d8e63d09e11a8c83
SHA1a259ac04e94683a8c4acdb37bd21525cafea9707
SHA256d07f044edc6332e80ad9b06700b7908cb074db0f8faf21b9f88c0d934f312350
SHA512f32606fd7cb40e5411c34d26ce9eb54fe766ef38ba9b32a96e5f2ca60cbff57d815ce39823d921498a252d698adb5db10db7fdb42af5a029e509faa6a194be15
-
\Users\Admin\AppData\Local\Temp\windef.exeFilesize
67KB
MD51852a2a68cd4c87e68184580c99ceea8
SHA12b67c7db8887aef8a5c1dd0f06db337b681635a5
SHA2563342aca6693d2d279cc60042a67d3cc5c9498386eb4b775e5be5087ab75932b4
SHA5126a24fd967b20eb879ac04d3040b7da178b73048a70444e8a220ffc47cfe0821fedfa6b91363bd2048af847eb57ee500bfb798f8810c14aad40476c6e1bb8626b
-
\Users\Admin\AppData\Local\Temp\windef.exeFilesize
32KB
MD5b29f66e7b7b4a8a03efa7a0dce5aa8fc
SHA1e8866c88ebe28509b11ebea5de62724862cf061f
SHA256e02a48a5cb6408e188f859ee7366ac92d91859d29158e44d7b2cf573cd72fa64
SHA51294acd7a3ca15827447df0fadc185370511bf3678ad46d35a5fe51552f9025fff8776afd927db7f2e0ca5d843eabfe4657ab480b17ce72447d5464035a2b11a73
-
\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
12KB
MD5597ebe13188229f807af923afa996e05
SHA10d482218e9c0cf92be61f35db4a9736ec0678323
SHA2561dc62c67047cb4b8ec845bea32b89c60055423ddf1db7bb8cdd8b7f7a999308c
SHA5124f72301a41d3ffafdaf247799191c9fb4fd75275922462a75eb7610bbe612f9f3f37340d62a7d5d0ddb299a4ea82d940af291d9b3e0d6ad9c3192d7e99ecc34a
-
memory/2140-41-0x0000000000EB0000-0x0000000000F0E000-memory.dmpFilesize
376KB
-
memory/2140-52-0x0000000004AD0000-0x0000000004B10000-memory.dmpFilesize
256KB
-
memory/2140-51-0x0000000073D60000-0x000000007444E000-memory.dmpFilesize
6.9MB
-
memory/2140-61-0x0000000073D60000-0x000000007444E000-memory.dmpFilesize
6.9MB
-
memory/2216-29-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB
-
memory/2636-44-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/2636-30-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/2636-32-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/2636-39-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/2828-62-0x0000000073D60000-0x000000007444E000-memory.dmpFilesize
6.9MB
-
memory/2828-63-0x0000000004A70000-0x0000000004AB0000-memory.dmpFilesize
256KB
-
memory/2828-60-0x0000000000360000-0x00000000003BE000-memory.dmpFilesize
376KB