General
-
Target
R3nzSkin_Injector.exe
-
Size
103KB
-
Sample
240522-tlfqzsgf95
-
MD5
147cafca216dbb300c5e56f7de808aa1
-
SHA1
7d391e147d9ee234fac867ad61cdbbba9b097d40
-
SHA256
9f2968fe750813efcccb6acdb999a6ebe28fda318f4f3d2cfeed6d9847eb5b9c
-
SHA512
3df1b20f92109c2b788cba166fd4a3df5226ece2ace9488406280c66648c921efc4dc7c7e72544cb0e5066512d115f255dc74cc83131afcfd6c9b46c493df510
-
SSDEEP
768:10q1YV7TRz0euwKIFRGlQl5iF2kJo9NPYjXQHdoAFzj:tuaevK2RP522kJo9NPkSdD
Static task
static1
Behavioral task
behavioral1
Sample
R3nzSkin_Injector.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
R3nzSkin_Injector.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
quasar
1.4.1
barbu
bardu3662.duckdns.org:9733
afa58199-2aae-4e08-8ef4-8e4ef39bc0aa
-
encryption_key
080342EF5ED2B5D16317695CC4327BF2FFC034AA
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
Updater
-
subdirectory
ApplicationFrameHost
Targets
-
-
Target
R3nzSkin_Injector.exe
-
Size
103KB
-
MD5
147cafca216dbb300c5e56f7de808aa1
-
SHA1
7d391e147d9ee234fac867ad61cdbbba9b097d40
-
SHA256
9f2968fe750813efcccb6acdb999a6ebe28fda318f4f3d2cfeed6d9847eb5b9c
-
SHA512
3df1b20f92109c2b788cba166fd4a3df5226ece2ace9488406280c66648c921efc4dc7c7e72544cb0e5066512d115f255dc74cc83131afcfd6c9b46c493df510
-
SSDEEP
768:10q1YV7TRz0euwKIFRGlQl5iF2kJo9NPYjXQHdoAFzj:tuaevK2RP522kJo9NPkSdD
-
Quasar payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1