General

  • Target

    R3nzSkin_Injector.exe

  • Size

    103KB

  • Sample

    240522-tlfqzsgf95

  • MD5

    147cafca216dbb300c5e56f7de808aa1

  • SHA1

    7d391e147d9ee234fac867ad61cdbbba9b097d40

  • SHA256

    9f2968fe750813efcccb6acdb999a6ebe28fda318f4f3d2cfeed6d9847eb5b9c

  • SHA512

    3df1b20f92109c2b788cba166fd4a3df5226ece2ace9488406280c66648c921efc4dc7c7e72544cb0e5066512d115f255dc74cc83131afcfd6c9b46c493df510

  • SSDEEP

    768:10q1YV7TRz0euwKIFRGlQl5iF2kJo9NPYjXQHdoAFzj:tuaevK2RP522kJo9NPkSdD

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

barbu

C2

bardu3662.duckdns.org:9733

Mutex

afa58199-2aae-4e08-8ef4-8e4ef39bc0aa

Attributes
  • encryption_key

    080342EF5ED2B5D16317695CC4327BF2FFC034AA

  • install_name

    RuntimeBroker.exe

  • log_directory

    Logs

  • reconnect_delay

    1000

  • startup_key

    Updater

  • subdirectory

    ApplicationFrameHost

Targets

    • Target

      R3nzSkin_Injector.exe

    • Size

      103KB

    • MD5

      147cafca216dbb300c5e56f7de808aa1

    • SHA1

      7d391e147d9ee234fac867ad61cdbbba9b097d40

    • SHA256

      9f2968fe750813efcccb6acdb999a6ebe28fda318f4f3d2cfeed6d9847eb5b9c

    • SHA512

      3df1b20f92109c2b788cba166fd4a3df5226ece2ace9488406280c66648c921efc4dc7c7e72544cb0e5066512d115f255dc74cc83131afcfd6c9b46c493df510

    • SSDEEP

      768:10q1YV7TRz0euwKIFRGlQl5iF2kJo9NPYjXQHdoAFzj:tuaevK2RP522kJo9NPkSdD

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks