Resubmissions
09-06-2024 11:59
240609-n5rppsba35 10General
-
Target
4819d22fc64341291bae25933ac60a45fec3ebd06d918dbcefec4265061bc8c4
-
Size
87.4MB
-
Sample
240609-n5rppsba35
-
MD5
c5b2d8ce98679c213f6dbfc38062f090
-
SHA1
253acb9d8b6b8921aaf90b0159f4ae90d98bac5b
-
SHA256
4819d22fc64341291bae25933ac60a45fec3ebd06d918dbcefec4265061bc8c4
-
SHA512
0e8592e2ac86d0519b07a653cd6203f66980b2218a0f4a9f84adf206531858982b874dfd0db2eaa90f35d245494486925792f59fe6a4768b0c03be7070bb0b9a
-
SSDEEP
1572864:ha2um44Hin4nU0PBB2CJQ41ZslbHMJWV7WYPkzZ0NaSrBzmYXleCVMN3:haTm4vn4U0PhT2BVBwZeLM
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
2.1.0.0
Office04
119.59.98.116:7812
VNM_MUTEX_W52pkvMG728H3VgAe1
-
encryption_key
lCK74G38OZkNWY7LhJK3
-
install_name
Windows Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft update
-
subdirectory
Windows Security SubDir
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
119.59.98.116:7812
WindowsDefendersecurityService
-
delay
1
-
install
true
-
install_file
Windows Defender Security Service.exe
-
install_folder
%AppData%
Extracted
xworm
5.1
119.59.98.116:7812
JBMeOx2rIgGrdV0y
-
Install_directory
%AppData%
-
install_file
Windows Defender security.exe
-
telegram
https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148
Targets
-
-
Target
4819d22fc64341291bae25933ac60a45fec3ebd06d918dbcefec4265061bc8c4
-
Size
87.4MB
-
MD5
c5b2d8ce98679c213f6dbfc38062f090
-
SHA1
253acb9d8b6b8921aaf90b0159f4ae90d98bac5b
-
SHA256
4819d22fc64341291bae25933ac60a45fec3ebd06d918dbcefec4265061bc8c4
-
SHA512
0e8592e2ac86d0519b07a653cd6203f66980b2218a0f4a9f84adf206531858982b874dfd0db2eaa90f35d245494486925792f59fe6a4768b0c03be7070bb0b9a
-
SSDEEP
1572864:ha2um44Hin4nU0PBB2CJQ41ZslbHMJWV7WYPkzZ0NaSrBzmYXleCVMN3:haTm4vn4U0PhT2BVBwZeLM
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Quasar payload
-
StormKitty payload
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1