Overview

overview

10

Static

static

3

TangoGenV1.3.exe

windows10-2004-x64

10

Resubmissions

04-04-2024 16:35

240404-t3r6cace8z 10

04-04-2024 16:32

240404-t1xytadb47 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TangoGenV1.3.EXE

  • Size

    52.0MB

  • Sample

    240404-t1xytadb47

  • MD5

    e9150812ffb2317a7ff1a2491a392ade

  • SHA1

    6b929ee7d7555604ec71d2463b6c1602aaf38b75

  • SHA256

    0e01eb02101b4aa05e0484ac9caebb77a7ecda7a36263aac8a32225fa2a8d38a

  • SHA512

    7a7a5c6c29848e5a2f1c12753c6bf9900937b99fd5e07cfb6fc6793216361bc7962fbd0a2b29448bae1c028ab93c11640f176cf5d3897a64973dd954ff417914

  • SSDEEP

    1572864:CxLPRJ/aHOlj/wZuj/hzJHW2ldP2dUOpfa4X62AC:CH2Mhzn+dUSh

Score
10/10
quasarxenoratoffice04persistencepyinstallerratspywarestealertrojanupx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

6.tcp.ngrok.io:16799

Mutex

0c20af10-1b0a-4d0e-bbca-3718ee39e827

Attributes
  • encryption_key

    284202D1B7ED732612BB54048953C4453A2549F9

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    System32

  • subdirectory

    SubDir

Extracted

Family

xenorat

C2

6.tcp.ngrok.io

Mutex

fdsfdsfsdfsdfnd8912d

Attributes
  • delay

    1000

  • install_path

    appdata

  • port

    17147

  • startup_name

    Intel Processor ©

Targets

    • Target

      TangoGenV1.3.EXE

    • Size

      52.0MB

    • MD5

      e9150812ffb2317a7ff1a2491a392ade

    • SHA1

      6b929ee7d7555604ec71d2463b6c1602aaf38b75

    • SHA256

      0e01eb02101b4aa05e0484ac9caebb77a7ecda7a36263aac8a32225fa2a8d38a

    • SHA512

      7a7a5c6c29848e5a2f1c12753c6bf9900937b99fd5e07cfb6fc6793216361bc7962fbd0a2b29448bae1c028ab93c11640f176cf5d3897a64973dd954ff417914

    • SSDEEP

      1572864:CxLPRJ/aHOlj/wZuj/hzJHW2ldP2dUOpfa4X62AC:CH2Mhzn+dUSh

    Score
    10/10
    quasarxenoratoffice04persistencepyinstallerratspywarestealertrojanupx

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks