Analysis

  • max time kernel
    431s
  • max time network
    1156s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30/03/2024, 10:22

General

  • Target

    nyMr9D3bkD/krampus more like kracked.exe

  • Size

    3.1MB

  • MD5

    236ce233b606ae8a5c0d9718c41e1025

  • SHA1

    391cbbda35a59fcda95e751bb9398bb86db904b9

  • SHA256

    49376d9766f6944866c5d917905a57b9e41bf100457fd3d9b389f6c3c0abbb92

  • SHA512

    1bdf7f4ae94f4a3b82fcaafc8a5bd2187e00ad466793481e59dfe90afee2e5730e59e49d009d629930b903a44d11e029120fa5e8203e0ea8b1ab2496b7a1e793

  • SSDEEP

    49152:MvIt62XlaSFNWPjljiFa2RoUYItsHGmzJLoGd0R1THHB72eh2NT:MvE62XlaSFNWPjljiFXRoUYItsHBkR

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

nyMr9D3bkD

C2

192.168.0.24:4782

Mutex

6b2c33e5-70a8-47f8-8746-f28159049692

Attributes
  • encryption_key

    019832365CF4EA9C63CDBF032EFC8FA4C72C6F0D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\krampus more like kracked.exe
    "C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\krampus more like kracked.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:5060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3572-0-0x0000000000E20000-0x000000000114C000-memory.dmp

    Filesize

    3.2MB

  • memory/3572-1-0x00007FFF05740000-0x00007FFF06202000-memory.dmp

    Filesize

    10.8MB

  • memory/3572-2-0x000000001BD60000-0x000000001BD70000-memory.dmp

    Filesize

    64KB

  • memory/3572-4-0x00007FFF05740000-0x00007FFF06202000-memory.dmp

    Filesize

    10.8MB

  • memory/3572-5-0x000000001BD60000-0x000000001BD70000-memory.dmp

    Filesize

    64KB