Analysis
-
max time kernel
33s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
17-03-2024 02:05
General
-
Target
fbc01257551c6cd7bc0f2245ed9ce6521861d0238d2272830074f50bfbff620f.exe
-
Size
2.0MB
-
MD5
3df05eb0338fe2e6ef8c5f0717223f04
-
SHA1
e0cfae759348ed0a0b72eb484adbc2f52b37ac77
-
SHA256
fbc01257551c6cd7bc0f2245ed9ce6521861d0238d2272830074f50bfbff620f
-
SHA512
1270b98bced91805350cf3d61f195111179be74f399fc2f14015b28d314b17e9c3469a0b4dc22a0a86bef86341e88cd011ec372d187ac5358b303a4d227fa0d7
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYR:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YP
Malware Config
Extracted
azorult
http://0x21.in:8000/_az/
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 3 IoCs
-
Detects Windows executables referencing non-Windows User-Agents 3 IoCs
-
Detects executables containing common artifacts observed in infostealers 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbc01257551c6cd7bc0f2245ed9ce6521861d0238d2272830074f50bfbff620f.exe"C:\Users\Admin\AppData\Local\Temp\fbc01257551c6cd7bc0f2245ed9ce6521861d0238d2272830074f50bfbff620f.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cbfPm8XDb5YV.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JVtkAIr3B3Il.bat" "6⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"7⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 22846⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 20564⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\fbc01257551c6cd7bc0f2245ed9ce6521861d0238d2272830074f50bfbff620f.exe"C:\Users\Admin\AppData\Local\Temp\fbc01257551c6cd7bc0f2245ed9ce6521861d0238d2272830074f50bfbff620f.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1648 -ip 16481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4048 -ip 40481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.logFilesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
C:\Users\Admin\AppData\Local\Temp\JVtkAIr3B3Il.batFilesize
208B
MD5c14bbcbe56190e189291bab0d0e9dbdb
SHA19b3d9936a25c7ce964da69dabc0fdd2d1accdc24
SHA25670c4897513453f98efb358cb8b35e5e53ece77100c0ac38d51b331b6cd764fdf
SHA5129d8d72ed5dc19c27632fd37558f3d60120d59874f4b7ad42cf9758267b76ec4a772a5fe8a28c76d9be0c3cc4573c1922d3d427c707e0f865adbc68bffdebc843
-
C:\Users\Admin\AppData\Local\Temp\cbfPm8XDb5YV.batFilesize
208B
MD50b945ca34bab0b81e1d7b1a2507345bc
SHA1d65422775b21eccfdb886966700b173c915edbce
SHA256f5f824d7edf5077005d5e964cbb4438d6368945428cc0cb8251f6a0609bbb7f2
SHA512b86876286cbced7cd61e712c510cb810b17faa0a6a82fef303a6a32640695eb116a6d95d5b18ed4236f10dafaa7e218281df2c6b3cf5e8af0f86ff28fbffdacf
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\Logs\03-17-2024Filesize
224B
MD561aa123c1fc1fddbddd295aabf3d0ef3
SHA14836de512b0c51408a88678a63ad8ddb5f4f669b
SHA2566a857e587cda9e3c1643283b69559ea1630a1f8af5df6a217e85eae02e39f06d
SHA51224633eeeac246cc6f16fa398ec4942bf8b55b957a082373cbc006da63b7af1cc006f581695e0a84032e9b6d7f6717c71a2634c4825daac880b5e4ad192df2925
-
C:\Users\Admin\AppData\Roaming\Logs\03-17-2024Filesize
224B
MD5f0d88031fe0aecd68f3aaf296fd0e647
SHA1847fc72c1ad151d18208c23f8e47fccc64e4cf37
SHA256482b3d1e369d8881befb7d2f995e4fe2d7fc44bd88eef083425f3cbd030ac5c5
SHA512c8bd81cb2fdd807c82394f6c108d9e6878fa1fcd772e6ff8f2ea24685f590558cf6cc1649f756685550c391c9d4161a314345186babdf87698a322cf79176e02
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD575c751937d40929a69c26d887cef79a3
SHA1763e4adedafe28913f0e747128c9a0871c554249
SHA256ac23c4126c25d6d3f9014112d7d789532e8444845db4e079952702f27ee8ba5d
SHA5120e1ec25ef33b7abb08856b235b3f3466b758573e92d4bc0933a7f78649f78809e62ed69613f4ec844fcc5c1336ed00ed58e941981599ae6002a0d5824d6778b7
-
memory/1476-35-0x0000000000AC0000-0x0000000000AE0000-memory.dmpFilesize
128KB
-
memory/1476-27-0x0000000000AC0000-0x0000000000AE0000-memory.dmpFilesize
128KB
-
memory/1648-56-0x0000000072A60000-0x0000000073210000-memory.dmpFilesize
7.7MB
-
memory/1648-108-0x0000000072A60000-0x0000000073210000-memory.dmpFilesize
7.7MB
-
memory/1648-98-0x0000000072A60000-0x0000000073210000-memory.dmpFilesize
7.7MB
-
memory/1648-59-0x0000000006C60000-0x0000000006C6A000-memory.dmpFilesize
40KB
-
memory/2216-99-0x0000000072A60000-0x0000000073210000-memory.dmpFilesize
7.7MB
-
memory/2216-86-0x0000000072A60000-0x0000000073210000-memory.dmpFilesize
7.7MB
-
memory/2216-87-0x0000000004C70000-0x0000000004C80000-memory.dmpFilesize
64KB
-
memory/2616-88-0x00000000006A0000-0x00000000006C0000-memory.dmpFilesize
128KB
-
memory/2616-97-0x00000000006A0000-0x00000000006C0000-memory.dmpFilesize
128KB
-
memory/2620-70-0x00000000001D0000-0x000000000026C000-memory.dmpFilesize
624KB
-
memory/2620-74-0x00000000001D0000-0x000000000026C000-memory.dmpFilesize
624KB
-
memory/2620-100-0x00000000001D0000-0x000000000026C000-memory.dmpFilesize
624KB
-
memory/2620-69-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2780-18-0x0000000003570000-0x0000000003571000-memory.dmpFilesize
4KB
-
memory/4048-111-0x0000000072A60000-0x0000000073210000-memory.dmpFilesize
7.7MB
-
memory/4048-106-0x0000000072A60000-0x0000000073210000-memory.dmpFilesize
7.7MB
-
memory/4048-117-0x0000000072A60000-0x0000000073210000-memory.dmpFilesize
7.7MB
-
memory/4048-112-0x00000000049D0000-0x00000000049E0000-memory.dmpFilesize
64KB
-
memory/4048-107-0x00000000049D0000-0x00000000049E0000-memory.dmpFilesize
64KB
-
memory/4156-21-0x0000000000800000-0x000000000089C000-memory.dmpFilesize
624KB
-
memory/4156-42-0x0000000000800000-0x000000000089C000-memory.dmpFilesize
624KB
-
memory/4156-20-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/4156-25-0x0000000000800000-0x000000000089C000-memory.dmpFilesize
624KB
-
memory/4556-120-0x0000000005020000-0x0000000005030000-memory.dmpFilesize
64KB
-
memory/4556-119-0x0000000072A60000-0x0000000073210000-memory.dmpFilesize
7.7MB
-
memory/4760-38-0x0000000072A60000-0x0000000073210000-memory.dmpFilesize
7.7MB
-
memory/4760-41-0x0000000005260000-0x00000000052F2000-memory.dmpFilesize
584KB
-
memory/4760-40-0x0000000005770000-0x0000000005D14000-memory.dmpFilesize
5.6MB
-
memory/4760-57-0x0000000072A60000-0x0000000073210000-memory.dmpFilesize
7.7MB
-
memory/4760-43-0x0000000005160000-0x0000000005170000-memory.dmpFilesize
64KB
-
memory/4760-45-0x0000000072A60000-0x0000000073210000-memory.dmpFilesize
7.7MB
-
memory/4760-44-0x00000000051C0000-0x0000000005226000-memory.dmpFilesize
408KB
-
memory/4760-46-0x0000000005740000-0x0000000005752000-memory.dmpFilesize
72KB
-
memory/4760-39-0x00000000006A0000-0x00000000006FE000-memory.dmpFilesize
376KB
-
memory/4760-48-0x0000000006680000-0x00000000066BC000-memory.dmpFilesize
240KB