Overview

overview

10

Static

static

10

vir.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    vir.exe

  • Size

    354.3MB

  • Sample

    240524-m3g7taee2z

  • MD5

    5e06196e54cd90b0b91d4e5551ff3255

  • SHA1

    6be513b0412bfd6c07c36c9554570a425cd671a3

  • SHA256

    6e42f69c4f5a8ba15619e0ee6c9d30301b0b2d509bd6be25faaeebee2b93d5bd

  • SHA512

    55ee2ff3fbc0eb42d00e9e23c74c02866dd3f18785a1534e346b2ea6b51133da2113ac1aab2747422d5f9cddc0c6cd6f1d940e650c2173b4f3c62762cdc0fa35

  • SSDEEP

    6291456:QdHVoFB/L6k3TpeRNvb1UxftqCtgZm1UQOwgb27CGhugobOzmuNYk:wIR1enREXhOwr7CGh7rmuNV

Score
10/10
njratquasarumbralromkadiscoveryevasionlinkpdfpersistencespywaretrojanupx

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Family

quasar

Version

1.4.1

Botnet

romka

C2

jozzu420-51305.portmap.host:51305

Mutex

0445c342-b551-411c-9b80-cd437437f491

Attributes
  • encryption_key

    E1BF1D99459F04CAF668F054744BC2C514B0A3D6

  • install_name

    Romilyaa.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows 10 Boot

  • subdirectory

    SubDir

Targets

    • Target

      vir.exe

    • Size

      354.3MB

    • MD5

      5e06196e54cd90b0b91d4e5551ff3255

    • SHA1

      6be513b0412bfd6c07c36c9554570a425cd671a3

    • SHA256

      6e42f69c4f5a8ba15619e0ee6c9d30301b0b2d509bd6be25faaeebee2b93d5bd

    • SHA512

      55ee2ff3fbc0eb42d00e9e23c74c02866dd3f18785a1534e346b2ea6b51133da2113ac1aab2747422d5f9cddc0c6cd6f1d940e650c2173b4f3c62762cdc0fa35

    • SSDEEP

      6291456:QdHVoFB/L6k3TpeRNvb1UxftqCtgZm1UQOwgb27CGhugobOzmuNYk:wIR1enREXhOwr7CGh7rmuNV

    Score
    10/10
    quasarromkadiscoveryevasionpersistencespywaretrojanupx

    • Modifies WinLogon for persistence

      persistence

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • UAC bypass

      evasiontrojan

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

7
T1012

System Information Discovery

7
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks