Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2bda8d6ee0...24.exe

windows7-x64

1

2bda8d6ee0...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 06:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2bda8d6ee0e3ba6dbd8093272ca3b524.exe

  • Size

    1.5MB

  • MD5

    2bda8d6ee0e3ba6dbd8093272ca3b524

  • SHA1

    0d6243b098aff07091fc2caa8ca78ba6c5d285d3

  • SHA256

    5889d4b8dd5501b5bb0c31e99fbfba2f35cfcc44acee80f271404ba6e1046c23

  • SHA512

    8ce12e23a3dbb4a185a520a659e0095df4c4157b1d1b0b8eb783bbbe417c19c53ceeaf78fee4882e9a204b91b073e1731dfae50212ab379c0df303e0d56c6744

  • SSDEEP

    24576:KeV7YeExhf9aTXEuw+Plps89RjcyFShWVwjsgli:1KhwTzPlpjncDWG

Score
10/10
quasarnexionhacktoolsagilenetspywaretrojan

Malware Config

Extracted

Family

quasar

Version

2.7.0.0

Botnet

NexionHackTOOLS

C2

lafeuilleocb.duckdns.org:1604

Mutex

SoOlYmLEeaTU8o2xXj

Attributes
  • encryption_key

    EO5tiig6EEUjYq6qUEGc

  • install_name

    NexiionHaclTOOLS.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    clses

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bda8d6ee0e3ba6dbd8093272ca3b524.exe
    "C:\Users\Admin\AppData\Local\Temp\2bda8d6ee0e3ba6dbd8093272ca3b524.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\debuit.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\debuit.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:936
        • C:\Windows\SysWOW64\NexiionHaclTOOLS.exe
          "C:\Windows\SysWOW64\NexiionHaclTOOLS.exe"
          4⤵
          • Executes dropped EXE
          PID:4772
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C5qAIR9vF5J3.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3916
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            5⤵
              PID:3188
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              5⤵
              • Runs ping.exe
              PID:3332
            • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
              "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
              5⤵
              • Executes dropped EXE
              PID:3284

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log
      Filesize

      1KB

      MD5

      9f0ab4a25d1ed1820e2e6791346fcbb3

      SHA1

      5fe78c8a3b420c4c407e7b081e022b8274fc051b

      SHA256

      dd3304bba5d4cdb7f7edd03bddc9a6196affc5e15cbec3113fb83607082b6df2

      SHA512

      1acccc67e08802bf4cbc7a3f402464b121ed98625aaf6dc1470b081f793fce5740e6138eb72dac74182379d7d2c177cbd1558284c53212e876a963c47104dcab

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\C5qAIR9vF5J3.bat
      Filesize

      208B

      MD5

      0404e163f78f198888745348943e7651

      SHA1

      a55336e03e293dcf3f198ddee1db2d5be8defa22

      SHA256

      c522df343fca25023f7e3670ce04aa684c1cf90eff4c0a27c616aa21df60ff37

      SHA512

      ba0262ce8bc7e84f3f67eda78ef2cdcef152c3e87fe80f302ac1860c66614c2214c12b3267a0eb3b44788afa66e001e83dd16282a7bd4b5902b6bddf45a2512f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      Filesize

      41KB

      MD5

      5d4073b2eb6d217c19f2b22f21bf8d57

      SHA1

      f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

      SHA256

      ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

      SHA512

      9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\debuit.exe
      Filesize

      1.5MB

      MD5

      2bda8d6ee0e3ba6dbd8093272ca3b524

      SHA1

      0d6243b098aff07091fc2caa8ca78ba6c5d285d3

      SHA256

      5889d4b8dd5501b5bb0c31e99fbfba2f35cfcc44acee80f271404ba6e1046c23

      SHA512

      8ce12e23a3dbb4a185a520a659e0095df4c4157b1d1b0b8eb783bbbe417c19c53ceeaf78fee4882e9a204b91b073e1731dfae50212ab379c0df303e0d56c6744

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\debuit.exe
      Filesize

      503KB

      MD5

      ee44323007d74cc354584ffa1e780f52

      SHA1

      8e16aec7f4311f46889b3b04cbc5e8671a47afa4

      SHA256

      1950aae7016af047420070a103b4e7e6b9c587868c3aa11d076342fa4d389a8e

      SHA512

      532ecdfe0267b8d543a8d8f6e22201b6c47af21b8756293ccb4ddb98e98f3b59324e602b7b4e303a59e5624296d55f0c2b8959002abd60f93c5e3361732cace8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\debuit.exe
      Filesize

      472KB

      MD5

      6dcdcc5568c0b6e03d70168c5064b299

      SHA1

      f43d4a2b193dc2e66cc5b19fb102c17d57cc568c

      SHA256

      ff69fbc5ec0bc2e47bf5bd8f21fd56c11e5182c0b446c27241e4d191d83b1f22

      SHA512

      c506ed51850adc4a7f8507daebcf919bad40e7dc64e2466e76443d9afe5d09ae11e3aa0fc4396303569a952563b2eb86b7efda3b8d454f8a2baa5ba4bf7e8538

      Download Submit

    • memory/408-15-0x0000000005B90000-0x0000000005BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/408-30-0x0000000074D40000-0x00000000754F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/408-8-0x0000000006670000-0x0000000006698000-memory.dmp

      Filesize

      160KB

      Download

    • memory/408-10-0x0000000007770000-0x0000000007792000-memory.dmp

      Filesize

      136KB

      Download

    • memory/408-9-0x00000000077B0000-0x0000000007816000-memory.dmp

      Filesize

      408KB

      Download

    • memory/408-11-0x0000000005B90000-0x0000000005BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/408-13-0x0000000074D40000-0x00000000754F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/408-14-0x0000000005B90000-0x0000000005BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/408-1-0x0000000000A70000-0x0000000000BF4000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/408-6-0x0000000005AD0000-0x0000000005B6C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/408-5-0x00000000066A0000-0x0000000006BCC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/408-4-0x00000000056B0000-0x0000000005A04000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/408-2-0x0000000005BC0000-0x0000000006164000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/408-7-0x0000000005B90000-0x0000000005BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/408-3-0x0000000005610000-0x00000000056A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/408-0-0x0000000074D40000-0x00000000754F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/936-62-0x0000000074D40000-0x00000000754F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/936-46-0x00000000060A0000-0x00000000060DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/936-45-0x0000000005C60000-0x0000000005C72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/936-42-0x0000000000600000-0x0000000000710000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/936-43-0x0000000074D40000-0x00000000754F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/936-44-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3284-65-0x0000000074D40000-0x00000000754F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3284-66-0x00000000056C0000-0x00000000056D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3284-67-0x0000000074D40000-0x00000000754F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4076-33-0x0000000074D40000-0x00000000754F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4076-37-0x000000000A830000-0x000000000A836000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4076-36-0x0000000007AF0000-0x0000000007B04000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4076-35-0x00000000064F0000-0x0000000006500000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4076-34-0x00000000064F0000-0x0000000006500000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4076-32-0x00000000064F0000-0x0000000006500000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4076-31-0x00000000064F0000-0x0000000006500000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4076-29-0x0000000074D40000-0x00000000754F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4772-51-0x0000000000100000-0x000000000010C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4772-53-0x0000000074D40000-0x00000000754F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4772-52-0x0000000004880000-0x000000000489A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4772-54-0x0000000004910000-0x0000000004920000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4772-56-0x0000000074D40000-0x00000000754F0000-memory.dmp

      Filesize

      7.7MB

      Download