General
-
Target
vir.exe
-
Size
36.2MB
-
Sample
240523-21z26scg22
-
MD5
b264bf0492e3370ceda89b4163ec4fce
-
SHA1
3999871b86399e8e7f00b7f07337eb33c36b2da0
-
SHA256
5fcd371bdff34f9ac235a59e3b3f82c45638f94d144674cce9befe28c1d74edd
-
SHA512
6cc45147128c5361c42a4f7bf111c8a76cf0b9a6a57a4fe56e8916e550d8c8bba987e7aee2db338c39bdd0f3ce7d0115bb8f1e578ea8eb5b1d300c986b1613ff
-
SSDEEP
786432:a4RerlLa3nwEwrkACTe6YQbjGEhM67HXkvj:XulW3wEoA3HUr
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
1.4.1
romka
jozzu420-51305.portmap.host:51305
0445c342-b551-411c-9b80-cd437437f491
-
encryption_key
E1BF1D99459F04CAF668F054744BC2C514B0A3D6
-
install_name
Romilyaa.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows 10 Boot
-
subdirectory
SubDir
Targets
-
-
Target
vir.exe
-
Size
36.2MB
-
MD5
b264bf0492e3370ceda89b4163ec4fce
-
SHA1
3999871b86399e8e7f00b7f07337eb33c36b2da0
-
SHA256
5fcd371bdff34f9ac235a59e3b3f82c45638f94d144674cce9befe28c1d74edd
-
SHA512
6cc45147128c5361c42a4f7bf111c8a76cf0b9a6a57a4fe56e8916e550d8c8bba987e7aee2db338c39bdd0f3ce7d0115bb8f1e578ea8eb5b1d300c986b1613ff
-
SSDEEP
786432:a4RerlLa3nwEwrkACTe6YQbjGEhM67HXkvj:XulW3wEoA3HUr
-
Modifies WinLogon for persistence
-
Modifies visibility of file extensions in Explorer
-
Modifies visiblity of hidden/system files in Explorer
-
Quasar payload
-
Disables RegEdit via registry modification
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Modifies file permissions
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Defense Evasion
Modify Registry
10Hide Artifacts
2Hidden Files and Directories
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3File and Directory Permissions Modification
1