Overview

overview

10

Static

static

3

d5a637dbba...f4.exe

windows7-x64

10

d5a637dbba...f4.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6910d498de78f23410fb3bbf160a2050f3f1289cdad6140deae600c0bb9cebcf

  • Size

    708KB

  • Sample

    240417-rrve8abg92

  • MD5

    1a52d991a548e88e0643a600c6868aae

  • SHA1

    afba42eecb429378e0d0e694324ba2e06b2cc4fe

  • SHA256

    6910d498de78f23410fb3bbf160a2050f3f1289cdad6140deae600c0bb9cebcf

  • SHA512

    793384ea04c891dc372f409db1e0512ce0df0179abba56553ca5fb587d8de71959106c2c1acba980ad6b8b6c83284664a871e85f16978695744ca797bb403cb5

  • SSDEEP

    12288:KOc4gnLFwTx4xJaoB4X1P6UdDb60skOV2JcFzjc/qMQVNwESkkStS:KO7gSTWJhBYHtb8kO/Zc2sEGSY

Score
10/10
quasarzgratevasionpersistenceransomwareratspywaretrojan

Malware Config

Targets

    • Target

      d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4.exe

    • Size

      725KB

    • MD5

      5db47cc0eb5dae97ad8ea7d3ccbf3f8c

    • SHA1

      444f8028c412c7661c3204e82da703ffdc607291

    • SHA256

      d5a637dbba35358ada6021003d135a7ebfaa36f4de9646635bfdfc35d9077af4

    • SHA512

      ab5ae0c399fb4b475d85cf0c07d7c2d4aeae7ac7c2b53b8c6b26afc3eb007dfe3fdde03e695a78f0f8d1dd6648c7378d5f5063732b74bbe0d2579040a59d76d2

    • SSDEEP

      12288:d3IU8S6eUd/rqMtJwy8cpe/8pg3P20aweKkKfncC8AHLG0JlB99e78:FItSAdzltJwKpyuokK/cC8o9Bl

    Score
    10/10
    quasarzgratevasionpersistenceransomwareratspywaretrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect ZGRat V1

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies security service

      evasion

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

4
T1562

Disable or Modify Tools

4
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

7
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks