General

  • Target

    1ee04769dbc6bd6c1d9bb696c846840a

  • Size

    1.0MB

  • Sample

    231230-2ppr3agfh4

  • MD5

    1ee04769dbc6bd6c1d9bb696c846840a

  • SHA1

    ddb700fccdbc70c2decc3d89e046a7ea23ee47b5

  • SHA256

    b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed

  • SHA512

    882622d528028fb9b572ca27d898df41cc29582b1e2e689ba74491d5e43291bb00acd49e079302237f7be5f54d392d784c1228d736e7de8a08d805d65b75fda0

  • SSDEEP

    12288:qMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9/V5wsu/QRoJabsuCbacj:qnsJ39LyjbJkQFMhmC+6GD9feUr8

Malware Config

Extracted

Family

redline

C2

65.21.62.31:49227

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

shadhk.duckdns.org:4782

Mutex

QSR_MUTEX_Z7EZg2hUinW3ScKhMN

Attributes
  • encryption_key

    DDAkOSo4mnzxgCHp9low

  • install_name

    svchost.exe

  • log_directory

    SysWOW82

  • reconnect_delay

    5000

  • startup_key

    SysWOW64

  • subdirectory

    Startup

Targets

    • Target

      1ee04769dbc6bd6c1d9bb696c846840a

    • Size

      1.0MB

    • MD5

      1ee04769dbc6bd6c1d9bb696c846840a

    • SHA1

      ddb700fccdbc70c2decc3d89e046a7ea23ee47b5

    • SHA256

      b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed

    • SHA512

      882622d528028fb9b572ca27d898df41cc29582b1e2e689ba74491d5e43291bb00acd49e079302237f7be5f54d392d784c1228d736e7de8a08d805d65b75fda0

    • SSDEEP

      12288:qMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9/V5wsu/QRoJabsuCbacj:qnsJ39LyjbJkQFMhmC+6GD9feUr8

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks