Overview

overview

10

Static

static

10

SynV2.exe

windows10-1703-x64

10

SynV2.exe

windows10-2004-x64

10

SynV2.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    496s
  • max time network
    1612s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12-05-2024 02:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SynV2.exe

  • Size

    3.1MB

  • MD5

    007e5cb679d162307ae1e97aae6b60bb

  • SHA1

    a03429b7d5bf4fbe507863f110782b17b3de98ef

  • SHA256

    82c4ebbea3a1cf61cb81196e865149b679df63dacaceef1e1242ce9b855aedf7

  • SHA512

    eb2298577149e34238475eee4329ac031efe4433ca8d3b9951bc1914c52e633a8c4b1034c4ff9b6f79364250cede584b25d9c13556f4fe35ec6be5ac0661a2c0

  • SSDEEP

    49152:pvjt62XlaSFNWPjljiFa2RoUYI204lhhgvJ6EoGdxsTHHB72eh2NT:pvx62XlaSFNWPjljiFXRoUYIchm

Score
10/10
quasarshibaspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Shiba

C2

sites-mood.gl.at.ply.gg:50107

Mutex

987c652c-2a4e-4c5d-bc39-00c8c0f35c5c

Attributes
  • encryption_key

    A88D7FED7F655EBDC4F99C21BAE5EC62300AADC7

  • install_name

    $sxr-insta.exe

  • log_directory

    $sxr-logs

  • reconnect_delay

    1000

  • startup_key

    $sxr-mstha

  • subdirectory

    $sxr-start

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SynV2.exe
    "C:\Users\Admin\AppData\Local\Temp\SynV2.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /K CHCP 437
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Windows\system32\chcp.com
        CHCP 437
        3⤵
          PID:2244
        • C:\Windows\system32\ipconfig.exe
          ipconfig
          3⤵
          • Gathers network information
          PID:3876
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcKm5cPFnOtm.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3020
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:4840
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • Runs ping.exe
            PID:1076

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\HcKm5cPFnOtm.bat
        Filesize

        206B

        MD5

        dee25fd7961b143f586e88132266d8b3

        SHA1

        d958ba410ba151983a2598ba079da24707321367

        SHA256

        45cd86404913322caefab55c8f63ada7431956958bbc869c003a888153dbc413

        SHA512

        51a8ad37d79c3b94ce384e42692534b9eff8f46c9e419f183137c8bcfe8d280354daff3dd24286bb1a1ed4c8686df59088d5a75199666c0e35eedefacf4c8dfe

        Download Submit

      • memory/1820-0-0x00007FF995073000-0x00007FF995074000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1820-1-0x0000000000E30000-0x0000000001154000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/1820-2-0x00007FF995070000-0x00007FF995A5C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1820-3-0x000000001C0B0000-0x000000001C100000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1820-4-0x000000001C1C0000-0x000000001C272000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1820-7-0x000000001BCC0000-0x000000001BCD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1820-8-0x000000001C140000-0x000000001C17E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1820-9-0x00007FF995073000-0x00007FF995074000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1820-10-0x00007FF995070000-0x00007FF995A5C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1820-15-0x00007FF995070000-0x00007FF995A5C000-memory.dmp

        Filesize

        9.9MB

        Download