Overview

overview

10

Static

static

10

PlutoBETA....V2.exe

windows7-x64

10

PlutoBETA....V2.exe

windows10-2004-x64

10

PlutoBETA....TA.exe

windows7-x64

1

PlutoBETA....TA.exe

windows10-2004-x64

8

PlutoBETA....ut.lnk

windows7-x64

3

PlutoBETA....ut.lnk

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    17259189011.zip.bin

  • Size

    17.3MB

  • Sample

    240517-vntw3ahg97

  • MD5

    17a1f190756ea2f94212facaea272fc0

  • SHA1

    f972df11ece43e41d1353dbbe9d69b1dc80f4f32

  • SHA256

    52ec41e428b630194915d3f5e1016e58147c7ae3202cdd1c6d6a4d20c76ea0b5

  • SHA512

    ca89757b76f9add685e3cd57b484f3bd3d6b732f6b51eefd62824afd7e0d96ef08f3d24da90cf968cf67d2277a12e58b27238592e383deb8ce8b272daa8fdc15

  • SSDEEP

    393216:oVB9t0noeu8xP+BTrMUbnr6RmUm2gqvbYN9JPS2:s9tl8xmBk2dhqvkN9Jp

Score
10/10
quasarpoofnricoexecutionspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PoofNRico

C2

nahchris-49021.portmap.host:49021

Mutex

1a5d095f-2c59-4b3f-b053-5bd928b2e541

Attributes
  • encryption_key

    ADBAB4BC16998E7E1913E54C27829FE47C72BE6D

  • install_name

    PlutoBETAv2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    DiscordUpdater.exe

  • subdirectory

    PlutoBETAv2

Targets

    • Target

      PlutoBETA.2/PlutoBETA.V2.exe

    • Size

      3.1MB

    • MD5

      1b84762faebd8469f686f703cbaef7b9

    • SHA1

      41e135a8a2a9525e09a2303055430e36d95780cd

    • SHA256

      4b857bc454edef7fa460fecb36f676fa38bab8b3304f3f07d12b9777fa0b68cb

    • SHA512

      da9482a2ef6fbe659afff4c5a0d1911145bb93be47dd5a714e4e1c24802f1e9d9669f5a209665a7da752e56d2c82c41e48c5bd951d26a2cd763fc8a62d4e703c

    • SSDEEP

      49152:PvylL26AaNeWgPhlmVqvMQ7XSKO1RboGreTHHB72eh2NT:PvqL26AaNeWgPhlmVqkQ7XSKO1l

    Score
    10/10
    quasarpoofnricospywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Executes dropped EXE

    behavioral1behavioral2

    • Target

      PlutoBETA.2/PlutoBETA.exe

    • Size

      37.6MB

    • MD5

      529f707d764d2da27d2b8f982e5c3c37

    • SHA1

      e4ab7395a54777c310259b975e6ccbd1cc934d37

    • SHA256

      90473bef6e0137f9d543260dec681ee7ce0f0e833f4084b4d427c1fea3f49045

    • SHA512

      67e551b165f02fabd406afaa5a88cf75aa69cec689b544d41d093656783828236813102cbab8d8868457eec070039d381fe544c9215d07f66730fe4e97ceef63

    • SSDEEP

      393216:JQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgh96l+ZArYsFRl7du:J3on1HvSzxAMNhFZArYsSPvp7OZuF

    Score
    8/10
    executionspywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    behavioral3behavioral4

    • Target

      PlutoBETA.2/SetupVideo - Shortcut.lnk

    • Size

      1015B

    • MD5

      d835bf06e41cad74eee11c2cc1322107

    • SHA1

      35f73d77ff355ba4aa08a71cec1d49002edd5175

    • SHA256

      fd607023b58ec7535ff83ad28327e15cfb758551fcee20c508d2edead1233403

    • SHA512

      965f62437d740e6bb330b78da1b26642aaba9f1dbd6648b5914263289424715a9e62767bef4f3a6e5f2a57b71c112263d2c58e5ea5572f5dde70a164b39d8942

    Score
    3/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks