User tags
Assigned on submission by the user, not by sandbox detections.
General
-
Target
krummy-lavacrypt-gfhd.exe
-
Size
3.5MB
-
Sample
240425-gf2eaagc53
-
MD5
af1082c667a09a0f1f6adb041ca37d34
-
SHA1
ccb770b00596a1d2fa0d9d7d3dbe9451734a30f9
-
SHA256
28b7e5568fcbab776e1bbb1be485a4299a760240fe4b1c60cb3ce68a0e0c4ba6
-
SHA512
4d1c50b42077ec0a8f0060410e75201e920b951f299e8d9a247fb4ba3c920ef5d16f7b30e2decef5323d88e28e3daeee60ae3fcd1e00de36e0185336b1582404
-
SSDEEP
98304:p99xyD6/xKyfNf6wZsi/0+zqEsf+JQgWq:rXIc7fNf6Y4EsWxR
Static task
static1
Behavioral task
behavioral1
Sample
krummy-lavacrypt-gfhd.exe
Resource
win7-20231129-en
Malware Config
Extracted
quasar
1.4.1
Slave
157.20.182.46:4782
a5764ae9-1c39-4533-95ca-a5d90dae860a
-
encryption_key
BA20F732417E96C201B42F315FAD6CF773D77589
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Client
-
subdirectory
SubDir
Targets
-
-
Target
krummy-lavacrypt-gfhd.exe
-
Size
3.5MB
-
MD5
af1082c667a09a0f1f6adb041ca37d34
-
SHA1
ccb770b00596a1d2fa0d9d7d3dbe9451734a30f9
-
SHA256
28b7e5568fcbab776e1bbb1be485a4299a760240fe4b1c60cb3ce68a0e0c4ba6
-
SHA512
4d1c50b42077ec0a8f0060410e75201e920b951f299e8d9a247fb4ba3c920ef5d16f7b30e2decef5323d88e28e3daeee60ae3fcd1e00de36e0185336b1582404
-
SSDEEP
98304:p99xyD6/xKyfNf6wZsi/0+zqEsf+JQgWq:rXIc7fNf6Y4EsWxR
-
Quasar payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2