Analysis
-
max time kernel
10s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
27-03-2024 17:07
General
-
Target
030e8bc0ca23d5d3aed345683c66c88305287717b58c56a0263463cddbe1c0b8.exe
-
Size
2.0MB
-
MD5
73e14efb895cc9aa2445499f65496c41
-
SHA1
d6ed9fce330f2cd17fcfcd96a89bec86882f3fe3
-
SHA256
030e8bc0ca23d5d3aed345683c66c88305287717b58c56a0263463cddbe1c0b8
-
SHA512
0fe119ceb610ecc9549ac1e97a7918f30228a5579b7a6a30ced5bcbe2a080c9ab6dd283ce02c0bb774516f97797e4b8bd53327c05fcf4baddf4791843ab62887
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYn:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yh
Malware Config
Extracted
azorult
http://0x21.in:8000/_az/
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar RAT 3 IoCs
Quasar is an open source Remote Access Tool.
-
Quasar payload 5 IoCs
-
Detects Windows executables referencing non-Windows User-Agents 5 IoCs
-
Detects executables containing common artifacts observed in infostealers 5 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\030e8bc0ca23d5d3aed345683c66c88305287717b58c56a0263463cddbe1c0b8.exe"C:\Users\Admin\AppData\Local\Temp\030e8bc0ca23d5d3aed345683c66c88305287717b58c56a0263463cddbe1c0b8.exe"1⤵
- Quasar RAT
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQ3WRL2nvsHY.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 21924⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\030e8bc0ca23d5d3aed345683c66c88305287717b58c56a0263463cddbe1c0b8.exe"C:\Users\Admin\AppData\Local\Temp\030e8bc0ca23d5d3aed345683c66c88305287717b58c56a0263463cddbe1c0b8.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1256 -ip 12561⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A59yxvtTjjTo.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 22964⤵
- Program crash
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4680 -ip 46801⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.logFilesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\winsock.exe.logFilesize
701B
MD55de8527438c860bfa3140dc420a03e52
SHA1235af682986b3292f20d8d71a8671353f5d6e16d
SHA256d9d92cd6e7a4507912965138b8d1eabb3f188f4dfcb61115ee99dc2c0fd43a92
SHA51277c3a774a2235c55ad520f1bf0c71fa3d3f0e7cf478a78e0d4dd6d253ee12a9859acc9ee822664467387788a2655a18373c8fcf08ea0d001549d3d4391b00bf8
-
C:\Users\Admin\AppData\Local\Temp\A59yxvtTjjTo.batFilesize
208B
MD5f29e78e6b9e252cd9dab916bbd3b1ed5
SHA1f7e60e60692cdc591eeb077ea63c8831610c8768
SHA256de9567da725f57b5a62411c5e8617b21d75348dae09daf9e58d09480c4d89c17
SHA512d3bbb119b5f78e0d1810ee0a43e30f75a6d8a0f1f6cf31b2eb8d9973bd9a465df833152cad743aabd2eaaf5fc54f30e9f5eda6861dfda0adda5c56f9f3aa0c6f
-
C:\Users\Admin\AppData\Local\Temp\SQ3WRL2nvsHY.batFilesize
208B
MD504a61b511887158f8a1116683f2ac031
SHA12fdcaec68e67d9bbb4392339b83cd0f9f8167d3b
SHA256802f2b4aa72bef0f7993abc9322f36f60ff354ccce955f9e715889e366c68dbc
SHA51277b1ce5d08b3a226feef75f74f1eddbbeb7b8138ccb5a95c99cd9f3bd9ea1121e7c97b26ecf9ea0a1ea663337bc2cb92d17dd3923e69a06159aa19a73fb2671a
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\Logs\03-27-2024Filesize
224B
MD536948f405b0807708cd16e20e3cbad4e
SHA1c78ecc71f4393cc669279c7613d150dc2ebd3057
SHA2566aef1d1b8bc25138ec37d6c6a48b9896b848f760dc997531ba5cd34bf849a99d
SHA512f5a5b950a29a9f9e8ce3c42f4eadf6d7d12d7c14ebf8bcb5010f2e922b7769777f505fc64fe55dbb4926c8d3a4821e79ed914fa2e6e24867699abe5b9199e5f1
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD51e2a8df09bcad3a0e68a01a1ab1e7d95
SHA1e8a02bf94ab1ca54f6b97382b4f12861fbabcaf2
SHA256cd4324f1dd603570c57056f7766d038bb728cbb63f49efd358153fa2d75ad692
SHA512569cd5eb9aff5c29a4b887f955161e7a1c722028f3bbefd60f03bbcc221c24a4cac2256c9c43dd0e19dddc76d037473620d2369c8f46d28ab369511ea975eba8
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
960KB
MD533868857906b83c5ccf6b0c204aeb3e6
SHA12bdf6a11af2cbfb20f8d66d6c1a9c61340afcbbf
SHA2563e42e0f9e779fece6b7a4ad68e8ccfa42d96ff17e2087ae97461dcc666c4661b
SHA5123f4dee9e86ee313eb7bc10b7c0e212435828a0aca976e06d8e9f382b0ae334cf85662bfa61d2c3d65d82d8b01e63e87422d2217813f66c0306a528106ac8aa8e
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
520KB
MD5c56d364585535bb5b984a55c2c3da86c
SHA146d929bc44a8e904b9fd19190c27d80eac166ae8
SHA25684bc2a289474aee9e309172c7370125cf49c0242fe8da4de200e7d85a6fccbaf
SHA5128825586a7ad361a4e9db577375673d120093be4861a886104887cd938f884093af2aca8462d84a7694b44ed92992584134c9bf7df40a5957910e780f82531521
-
memory/1256-52-0x0000000073180000-0x0000000073930000-memory.dmpFilesize
7.7MB
-
memory/1256-59-0x0000000005870000-0x0000000005880000-memory.dmpFilesize
64KB
-
memory/1256-58-0x0000000073180000-0x0000000073930000-memory.dmpFilesize
7.7MB
-
memory/1256-69-0x0000000073180000-0x0000000073930000-memory.dmpFilesize
7.7MB
-
memory/1256-56-0x0000000007130000-0x000000000713A000-memory.dmpFilesize
40KB
-
memory/1256-53-0x0000000005870000-0x0000000005880000-memory.dmpFilesize
64KB
-
memory/1652-39-0x0000000005150000-0x00000000051E2000-memory.dmpFilesize
584KB
-
memory/1652-45-0x0000000006430000-0x000000000646C000-memory.dmpFilesize
240KB
-
memory/1652-54-0x0000000073180000-0x0000000073930000-memory.dmpFilesize
7.7MB
-
memory/1652-44-0x0000000005FF0000-0x0000000006002000-memory.dmpFilesize
72KB
-
memory/1652-43-0x00000000053F0000-0x0000000005456000-memory.dmpFilesize
408KB
-
memory/1652-42-0x0000000002C80000-0x0000000002C90000-memory.dmpFilesize
64KB
-
memory/1652-36-0x0000000005700000-0x0000000005CA4000-memory.dmpFilesize
5.6MB
-
memory/1652-28-0x00000000006A0000-0x00000000006FE000-memory.dmpFilesize
376KB
-
memory/1652-26-0x0000000073180000-0x0000000073930000-memory.dmpFilesize
7.7MB
-
memory/1952-100-0x0000000005230000-0x0000000005240000-memory.dmpFilesize
64KB
-
memory/1952-119-0x0000000073180000-0x0000000073930000-memory.dmpFilesize
7.7MB
-
memory/1952-99-0x0000000073180000-0x0000000073930000-memory.dmpFilesize
7.7MB
-
memory/2236-18-0x0000000003920000-0x0000000003921000-memory.dmpFilesize
4KB
-
memory/2400-66-0x00000000052D0000-0x00000000052E0000-memory.dmpFilesize
64KB
-
memory/2400-65-0x0000000073180000-0x0000000073930000-memory.dmpFilesize
7.7MB
-
memory/2400-68-0x0000000073180000-0x0000000073930000-memory.dmpFilesize
7.7MB
-
memory/4112-29-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/4112-57-0x0000000000960000-0x00000000009FC000-memory.dmpFilesize
624KB
-
memory/4112-25-0x0000000000960000-0x00000000009FC000-memory.dmpFilesize
624KB
-
memory/4112-37-0x0000000000960000-0x00000000009FC000-memory.dmpFilesize
624KB
-
memory/4148-84-0x00000000005A0000-0x000000000063C000-memory.dmpFilesize
624KB
-
memory/4148-89-0x00000000005A0000-0x000000000063C000-memory.dmpFilesize
624KB
-
memory/4148-85-0x00000000005A0000-0x000000000063C000-memory.dmpFilesize
624KB
-
memory/4148-122-0x00000000005A0000-0x000000000063C000-memory.dmpFilesize
624KB
-
memory/4148-83-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/4680-117-0x0000000073180000-0x0000000073930000-memory.dmpFilesize
7.7MB
-
memory/4680-118-0x0000000004FC0000-0x0000000004FD0000-memory.dmpFilesize
64KB
-
memory/4680-123-0x0000000073180000-0x0000000073930000-memory.dmpFilesize
7.7MB
-
memory/4680-124-0x0000000004FC0000-0x0000000004FD0000-memory.dmpFilesize
64KB
-
memory/4680-129-0x0000000073180000-0x0000000073930000-memory.dmpFilesize
7.7MB
-
memory/4980-38-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4980-20-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB