Overview

overview

10

Static

static

10

SynV2.exe

windows10-1703-x64

10

SynV2.exe

windows10-2004-x64

10

SynV2.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1382s
  • max time network
    1172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/05/2024, 02:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SynV2.exe

  • Size

    3.1MB

  • MD5

    007e5cb679d162307ae1e97aae6b60bb

  • SHA1

    a03429b7d5bf4fbe507863f110782b17b3de98ef

  • SHA256

    82c4ebbea3a1cf61cb81196e865149b679df63dacaceef1e1242ce9b855aedf7

  • SHA512

    eb2298577149e34238475eee4329ac031efe4433ca8d3b9951bc1914c52e633a8c4b1034c4ff9b6f79364250cede584b25d9c13556f4fe35ec6be5ac0661a2c0

  • SSDEEP

    49152:pvjt62XlaSFNWPjljiFa2RoUYI204lhhgvJ6EoGdxsTHHB72eh2NT:pvx62XlaSFNWPjljiFXRoUYIchm

Score
10/10
quasarshibaspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Shiba

C2

sites-mood.gl.at.ply.gg:50107

Mutex

987c652c-2a4e-4c5d-bc39-00c8c0f35c5c

Attributes
  • encryption_key

    A88D7FED7F655EBDC4F99C21BAE5EC62300AADC7

  • install_name

    $sxr-insta.exe

  • log_directory

    $sxr-logs

  • reconnect_delay

    1000

  • startup_key

    $sxr-mstha

  • subdirectory

    $sxr-start

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SynV2.exe
    "C:\Users\Admin\AppData\Local\Temp\SynV2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:220
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q8Hs0vuES6Kx.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3644
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • Runs ping.exe
          PID:1268

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Q8Hs0vuES6Kx.bat
      Filesize

      206B

      MD5

      67508d7b35033c0d5282542e07319ff4

      SHA1

      62dc80676c93612f406b7502ffec817c4dc9db05

      SHA256

      4a26907545b226e82319decc62519aa5291a7bb57557612a3f834d967f93deba

      SHA512

      2e1b6b0332f0431d746663a2d676388f43d43fad42f1f8ad2dfd4ea398063a5748c00d90878961b78b73afd619c5aac3c4ae0d892ccb0b55ad0d9643605c95b1

      Download Submit

    • memory/220-0-0x00007FFAD9F93000-0x00007FFAD9F95000-memory.dmp

      Filesize

      8KB

      Download

    • memory/220-1-0x0000000000670000-0x0000000000994000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/220-2-0x00007FFAD9F90000-0x00007FFADAA51000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/220-3-0x0000000002C20000-0x0000000002C70000-memory.dmp

      Filesize

      320KB

      Download

    • memory/220-4-0x000000001BE60000-0x000000001BF12000-memory.dmp

      Filesize

      712KB

      Download

    • memory/220-5-0x0000000002C70000-0x0000000002C82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/220-6-0x000000001B710000-0x000000001B74C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/220-7-0x00007FFAD9F93000-0x00007FFAD9F95000-memory.dmp

      Filesize

      8KB

      Download

    • memory/220-8-0x00007FFAD9F90000-0x00007FFADAA51000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/220-13-0x00007FFAD9F90000-0x00007FFADAA51000-memory.dmp

      Filesize

      10.8MB

      Download