Overview

overview

10

Static

static

3

darkmoon v...vU.bat

windows7-x64

7

darkmoon v...vU.bat

windows10-2004-x64

10

darkmoon v...en.exe

windows10-2004-x64

6

darkmoon v2/start.bat

windows7-x64

7

darkmoon v2/start.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2a6a28e5ec050a9039d62bf2cd0075df7324ebb9e3c9130ca417c8381796445e

  • Size

    8.2MB

  • Sample

    240602-s4dhxagf83

  • MD5

    07dc8aa034636515b0da7475b6cc7ce8

  • SHA1

    e746ec81711fc8039ecc2dada0f25df64bd7d9e4

  • SHA256

    2a6a28e5ec050a9039d62bf2cd0075df7324ebb9e3c9130ca417c8381796445e

  • SHA512

    7af7fafc74f4b268da8b2764c396da8e6f25de7ac746c407409a3e2f981f55dc78f82b2055ea32fdb5a0f4c9582982808c525dd692a9fc398ec38608390f8116

  • SSDEEP

    196608:qHvvZPGmaJoKPfZCXh0YYyhVSXj8XN7rWtioPVOaYNC7Tn:qPNGmgfUxbXNWTPVLYsTn

Score
10/10
quasarv2.2.6 | seroxenpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v2.2.6 | SeroXen

C2

seroooooxeen.chickenkiller.com:5059

Mutex

f953c0af-702a-46b5-ad07-d900b11c5cd9

Attributes
  • encryption_key

    458790DC6E62EEB3043B4566BF95CDAF711F1EC0

  • install_name

    .exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    3000

Targets

    • Target

      darkmoon v2/lib/AyBYMBjlvU.bat

    • Size

      12.6MB

    • MD5

      8e3d8ed6db7cb979d5d56c8b847cc965

    • SHA1

      5d1ad752a988ce13da601448cdca5584610cffee

    • SHA256

      9d0b440b61b239bc3406d67bf7ae8baf1ceef65923e8558ce3a3c1a3c4a5e22a

    • SHA512

      d7a96420b1e61c4bc7db6c533704771e329239629201dbf34ac8a95a931da92c6e1d7ddb694a491656246b0eb491e96d194b7abccf54ef757c1aea92a9b96a0e

    • SSDEEP

      49152:Hq8mcjsXbvlusR48pNIN/I/EiFTPbYWLP17DFNkKuri3NSbkpXYyr7arOR150kFB:o

    Score
    10/10
    quasarv2.2.6 | seroxenspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      darkmoon v2/lib/DarkMoon_Gen.exe

    • Size

      340KB

    • MD5

      f3c021dbce0cd670f15415c3aa6b83aa

    • SHA1

      433842e6529c6df685da1317bfd69d2ea0c85cca

    • SHA256

      c147148fa809e238efc3e60b2ed129a93f11694b31d194f7347ddfbb6b82ba20

    • SHA512

      5690f12b45819cf28dfc350d3e362f172f1f589b9614b639f995e1bb56ea8fcb87b3058323998f33dd3637b48f00d596c63866cfde7172a3ac664fac110a6f66

    • SSDEEP

      3072:eahKyd2n3175Ctbq6rw3VScvNSAh8CndDOMrt1nW:eahOql+UcsMra

    Score
    6/10
    persistence

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral3

    • Target

      darkmoon v2/start.bat

    • Size

      82B

    • MD5

      e6ede72374e4f7b8b907d4099c76f4d4

    • SHA1

      146899cf959ada383b0a258b06da7963ef0d1c70

    • SHA256

      c07fbd6c49d83eb8399435f9972551d2c73a29e5914a25640639191d187dd80d

    • SHA512

      1b2d0cd4a5deae331ed16f383831f4ff7ba1c5b7f6906a35354dfd420ca44f17e3469157f2327685a6aa9773175425aa145faa2d4866030d131334eb36426fcc

    Score
    10/10
    persistencequasarv2.2.6 | seroxenspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral4behavioral5

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

10
T1012

System Information Discovery

10
T1082

Remote System Discovery

3
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

2
T1102

Impact

Resource Development

Reconnaissance

Tasks