Overview

overview

10

Static

static

10

uni/Uni - ...2).exe

windows7-x64

10

uni/Uni - ...2).exe

windows10-2004-x64

10

uni/Uni - ...3).exe

windows7-x64

10

uni/Uni - ...3).exe

windows10-2004-x64

10

uni/Uni - ...4).exe

windows7-x64

10

uni/Uni - ...4).exe

windows10-2004-x64

10

uni/Uni - ...5).exe

windows7-x64

10

uni/Uni - ...5).exe

windows10-2004-x64

10

uni/Uni - ...6).exe

windows7-x64

10

uni/Uni - ...6).exe

windows10-2004-x64

10

uni/Uni - Copy.exe

windows7-x64

10

uni/Uni - Copy.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    284s
  • max time network
    287s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-06-2024 06:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    uni/Uni - Copy (6).exe

  • Size

    409KB

  • MD5

    b70fdac25a99501e3cae11f1b775249e

  • SHA1

    3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

  • SHA256

    51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

  • SHA512

    43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

  • SSDEEP

    12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score
10/10
quasarseroxenspywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892
Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes
  • encryption_key

    Lme7VBS3l58VwLM69PNM

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    SeroXen

  • subdirectory

    SubDir

Signatures

  • Quasar RAT 3 IoCs

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (6).exe
    "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (6).exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (6).exe" /rl HIGHEST /f
      2⤵
      • Quasar RAT
      • Creates scheduled task(s)
      PID:2716
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2456
      • C:\Users\Admin\AppData\Local\Temp\mHmzclNMiRU6.exe
        "C:\Users\Admin\AppData\Local\Temp\mHmzclNMiRU6.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2900
    • C:\Windows\SysWOW64\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Uni - Copy (6).exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (6).exe'" /sc onlogon /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:2524
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x488
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1860
  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1512
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.0.1125361142\1038663226" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1224 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5137fc9a-aa3e-4581-b4b5-1afdedd25de0} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 1324 fe07858 gpu
        3⤵
          PID:304
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.1.1619734106\1083142566" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dd095d8-3569-4a4b-8f56-6f5892632758} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 1508 41fb458 socket
          3⤵
            PID:1920
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.2.291489641\1636978342" -childID 1 -isForBrowser -prefsHandle 1960 -prefMapHandle 1956 -prefsLen 20868 -prefMapSize 233444 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2144a06a-4257-4a2c-bcda-b391e8d2050f} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 1972 10d5ea58 tab
            3⤵
              PID:2428
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.3.1442704916\1122594355" -childID 2 -isForBrowser -prefsHandle 1648 -prefMapHandle 1668 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d270726e-fddf-4c53-8d24-9aa7c9618185} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 628 d69058 tab
              3⤵
                PID:488
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.4.1022352910\311594822" -childID 3 -isForBrowser -prefsHandle 2792 -prefMapHandle 2788 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eee99ca-3142-4abc-a30b-1b020552e64b} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 2804 1bdab958 tab
                3⤵
                  PID:684
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.5.228483377\1361103315" -childID 4 -isForBrowser -prefsHandle 3764 -prefMapHandle 3760 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14f12f99-3de3-48a3-b6ee-cd6a3b7df2a4} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 3780 1e5d1c58 tab
                  3⤵
                    PID:324
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.6.2088101427\324192267" -childID 5 -isForBrowser -prefsHandle 3884 -prefMapHandle 3888 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90a3c01d-ba67-412a-950a-d1a5fc37ba2d} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 3872 1f848558 tab
                    3⤵
                      PID:912
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2432.7.94582617\624960760" -childID 6 -isForBrowser -prefsHandle 4060 -prefMapHandle 4064 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c5292f5-3839-4dcb-87a5-ff0b69910b24} 2432 "\\.\pipe\gecko-crash-server-pipe.2432" 4048 1f849458 tab
                      3⤵
                        PID:1968

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\mHmzclNMiRU6.exe
                    Filesize

                    277KB

                    MD5

                    dac0c5b2380cbdd93b46763427c9f8df

                    SHA1

                    038089e1a0ac8375be797fc3ce7ae719abc72834

                    SHA256

                    d02538788fb57f568ece292f5fc20e9775c86d504de67f57e22534f84adc73c6

                    SHA512

                    05cc1f6bf25a6545a06c735ae7a4a7fc25489bdb9fbc8d5797be623982662c4a93cba2d20bfe14313ef1548eaaa691e55fabdd8e3d3e45de9ab42dc62f9a7023

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
                    Filesize

                    3KB

                    MD5

                    7c6de3fccd424b3c0a198022392e0199

                    SHA1

                    e77f7c89df4f496c5aed4bf7c859c4804e4808af

                    SHA256

                    036b90ba0f5f36a4968ca5d398bf755e02a7daf55813b8b835729390d7c23f39

                    SHA512

                    906df1381bdb019f41ad6366a7f35460197b47a5fad38ee61431aaeedb35cd0ad771462cef9afe492f3ee9795b80e591631c6806507ac635a7791551aae6fc56

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\datareporting\glean\pending_pings\853629cf-07f4-421c-98a0-5f7716aefb25
                    Filesize

                    745B

                    MD5

                    cbb1cf27ed10a20a421165d60396d506

                    SHA1

                    a6214f09695181a3f5264c0455c7385b18491d1c

                    SHA256

                    daa224c4a4a07d6c7444de7e35aec81ab90568a021ee1f17c073f85f9d140537

                    SHA512

                    d7d9e74d151d9efd9b60cd06c41632f771d3c8febce0f2dd120ea5afe20fad4d2099b56f24199f9084a8ab7fd99c373ea313761cc0970cea5d918480b9505fdd

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\datareporting\glean\pending_pings\f8965366-52fc-4d7e-a63e-f2607ee651e2
                    Filesize

                    12KB

                    MD5

                    b3fc9abbb1d50c99cb1f0036f321af36

                    SHA1

                    118b5a6838a6feb7b9ab8ba5bcb61a9820052c67

                    SHA256

                    025acbcc25a8175e8dd2a459afa608de2b5edaa5b5a6e753206859d5b54c9053

                    SHA512

                    bc509d9fb49b32d6e0b61c3715a00a651a3f49882f9d000cbb42272122934af59991257848d2e6d416d74eb8427c98c0d4c84be9c88fc7545c0fefe17666e063

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    c1a9c7c5f8901fd3b5b0ec13d389006d

                    SHA1

                    3fdf28db1218f5780db2245a48a65dae28c12056

                    SHA256

                    0a21d8b8bda8d4f3857b7eb99bd49e7679c830bd3d0a8e227332e7a755e4a55c

                    SHA512

                    4561ad631f508fa68cf55dd3d57d39dfb19cee3043ff37cb866c9fc98b596cf51cbdd80a38e35cf6960bd58f574e6816fb4eb4bd21c2a968d53dc2a29077160b

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                    Filesize

                    184KB

                    MD5

                    ca74f800908aff93925f8c4ae9fb2031

                    SHA1

                    f2966c94e4bfdd960786a185c1beda4594d6c4bb

                    SHA256

                    8410e0932b700327d4ef0f50456fd74f1f174b594f5958401da57a3a4c37771b

                    SHA512

                    51a2835d3fd2480b1213c056a0dfc7b552b61ee6e8fe8870ab493f8ffe0be0194ae4fa6071188d8f55d2b484511e9ef86ec345541db97159656b779957c8a7c5

                    Download Submit
                  • \Users\Admin\AppData\Roaming\SubDir\Client.exe
                    Filesize

                    409KB

                    MD5

                    b70fdac25a99501e3cae11f1b775249e

                    SHA1

                    3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

                    SHA256

                    51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

                    SHA512

                    43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

                    Download Submit
                  • memory/1956-1-0x0000000000F90000-0x0000000000FFC000-memory.dmp
                    Filesize

                    432KB

                    Download
                  • memory/1956-2-0x0000000074520000-0x0000000074C0E000-memory.dmp
                    Filesize

                    6.9MB

                    Download
                  • memory/1956-0-0x000000007452E000-0x000000007452F000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1956-13-0x0000000074520000-0x0000000074C0E000-memory.dmp
                    Filesize

                    6.9MB

                    Download
                  • memory/2504-10-0x0000000000370000-0x00000000003DC000-memory.dmp
                    Filesize

                    432KB

                    Download
                  • memory/2504-16-0x0000000074520000-0x0000000074C0E000-memory.dmp
                    Filesize

                    6.9MB

                    Download
                  • memory/2504-15-0x0000000074520000-0x0000000074C0E000-memory.dmp
                    Filesize

                    6.9MB

                    Download
                  • memory/2504-12-0x0000000074520000-0x0000000074C0E000-memory.dmp
                    Filesize

                    6.9MB

                    Download
                  • memory/2504-11-0x0000000074520000-0x0000000074C0E000-memory.dmp
                    Filesize

                    6.9MB

                    Download