Overview

overview

10

Static

static

10

dec50393eb...f3.exe

windows7-x64

10

dec50393eb...f3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3

  • Size

    968KB

  • MD5

    c82a3da38e0debb9a378f1dc3777c33e

  • SHA1

    aa6c7428f186d9498ca705b9c0d58736757a632e

  • SHA256

    dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3

  • SHA512

    628cda89421e6327ba5a274d28386faf0b56c35f52dc237bbc310aef2a20ec5d5b7fb1bc4f22d610981ce5c6a9733bfc16568f473eb23b43094637b1db969cc1

  • SSDEEP

    24576:FmtpMM4Qevjz8fSEhQKQWxUg9RzZtNMiTRqfLj:EpviIOYxUQRzZtNyj

Score
10/10
ratwindows securityasyncratquasarstormkitty

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Security

C2

37.0.14.203:7812

Mutex

VNM_MUTEX_2r4e6JnVsMyKl6Aod6

Attributes
  • encryption_key

    7m3r0pz1Q0GDX0J3KjKp

  • install_name

    Windows Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Updated

  • subdirectory

    Win32

Signatures

  • Async RAT payload 1 IoCs
    rat
  • Asyncrat family
    asyncrat
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detects Windows executables referencing non-Windows User-Agents 1 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 1 IoCs
  • Detects executables containing artifacts associated with disabling Widnows Defender 1 IoCs
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs
  • Detects executables referencing Discord tokens regular expressions 1 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
  • Detects executables referencing credit card regular expressions 1 IoCs
  • Detects executables referencing many VPN software clients. Observed in infosteslers 1 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
  • Detects executables using Telegram Chat Bot 1 IoCs
  • Detects executables with interest in wireless interface using netsh 1 IoCs
  • Detects file containing reversed ASEP Autorun registry keys 1 IoCs
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Unsigned PE 1 IoCs

    Checks for missing Authenticode signature.

Files

  • dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3
    .exe windows:4 windows x86 arch:x86

    f34d5f2d4577ed6d9ceec516c1f5a744


    Headers

    Imports

    Sections