Overview

overview

10

Static

static

10

SynapseX R...er.exe

windows7-x64

10

SynapseX R...er.exe

windows10-2004-x64

10

SynapseX R...or.dll

windows7-x64

9

SynapseX R...or.dll

windows10-2004-x64

9

Resubmissions

28-05-2024 02:35

240528-c3cl8acg65 10

28-05-2024 02:34

240528-c2ncbsbe8y 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SynapseX.Revamped.V1.5.rar

  • Size

    6.9MB

  • Sample

    240528-c2ncbsbe8y

  • MD5

    358e3fc465a47e440775cd04fe9e9650

  • SHA1

    c0dea173ba12149b325de5831c2e08d8c3ff7b21

  • SHA256

    8739b236fb674c2c3516bc43ecf4b6583ea22ca0d4b2fe417b6223d654d52011

  • SHA512

    1a8dad583487280053ec13a088f02f54177f2c14318d9edfc60121884e6bda8e06979c47fa2e9100db21ecedcb30431a1842c2a6ef3c69f20b703ea07865348f

  • SSDEEP

    196608:SGOV4gKBR19F8lsJ7WJ+ZVNXARR+n9fmYclvlcf:SB4LFXKsJ7QmVNXARkVwl9cf

Score
10/10
quasarwindows updateevasionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Windows Update

C2

skbidiooiilet-31205.portmap.host:31205

Mutex

b2f09b33-2e5b-4ffa-afbf-3f1aaed274a6

Attributes
  • encryption_key

    6F721445F7E0B1CF58980D84A9D49F4458D4EFD9

  • install_name

    Update.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    WindowsUpdate

  • subdirectory

    Windows Update

Targets

    • Target

      SynapseX Revamped V1.5/SynapseXBootstrapper.exe

    • Size

      3.1MB

    • MD5

      9434a1822088cedbce057d280c235864

    • SHA1

      c09173a18e5ae2d9d38bd4d3d196adf1423f924e

    • SHA256

      de29011246319ec8b60774d8c4cad4e8299e27eba6dc7699cd257fbdda338336

    • SHA512

      7461b706ef796abc96d7f2549091061910fdf81a77ae0f8d0c20c5de870164410f5dd3b68e3e33a5bb9b77c3ccf59fd787164530b6d2d03688d4dceccb4fb632

    • SSDEEP

      49152:PvnI22SsaNYfdPBldt698dBcjHHeJ/uBx3ioGdyTHHB72eh2NT:PvI22SsaNYfdPBldt6+dBcjH4/X

    Score
    10/10
    quasarwindows updatespywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Executes dropped EXE

    behavioral1behavioral2

    • Target

      SynapseX Revamped V1.5/bin/SynapseInjector.dll

    • Size

      6.0MB

    • MD5

      9b248dfff1d2b73fd639324741fe2e08

    • SHA1

      e82684cd6858a6712eff69ace1707b3bcd464105

    • SHA256

      39943c30732988289ca346902f007a72124bd98b82e08b0b9739241cdab4018e

    • SHA512

      56784a895f113088e3c92ccd96f354473e5d849fb9d0798868ff5e9477f60854e8bc7c9759c63417c9298f8702abab266722439b445977c6e940da393b8b696c

    • SSDEEP

      98304:whgYUp+QvBY2uccY07B1nG9CHvaxFNErtcKXc17TEBT0VBTFX3NwwJqOft:w2j8YCRGEP0iOvuT0FXKwt

    Score
    9/10
    evasiontrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

3
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks