Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
NL	23.62.61.129:443	www.bing.com	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	2.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	203.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	129.61.62.23.in-addr.arpa	udp
NL	23.62.61.129:443	www.bing.com	tcp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	86.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	56.126.166.20.in-addr.arpa	udp
US	8.8.8.8:53	57.15.31.184.in-addr.arpa	udp
US	8.8.8.8:53	31.243.111.52.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	31.73.42.20.in-addr.arpa	udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-15 08:01

Reported

2024-06-15 08:36

Platform

win11-20240508-en

Max time kernel

1739s

Max time network

1751s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SeroXen.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SeroXen.zip

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 08:01

Reported

2024-06-15 08:32

Platform

win10-20240611-en

Max time kernel

477s

Max time network

1611s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SeroXen.zip

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	C:\Users\Admin\Desktop\New folder\SeroXen.exe	N/A

Checks BIOS information in registry

Description	Indicator	Process	Target
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	C:\Users\Admin\Desktop\New folder\SeroXen.exe	N/A
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	C:\Users\Admin\Desktop\New folder\SeroXen.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\Desktop\New folder\SeroXen.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\Desktop\New folder\SeroXen.exe	N/A
N/A	N/A	C:\Users\Admin\Desktop\New folder\SeroXen.exe	N/A
N/A	N/A	C:\Users\Admin\Desktop\New folder\SeroXen.exe	N/A
N/A	N/A	C:\Users\Admin\Desktop\New folder\SeroXen.exe	N/A

Themida packer

themida

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Checks whether UAC is enabled

evasion trojan

Description	Indicator	Process	Target
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	C:\Users\Admin\Desktop\New folder\SeroXen.exe	N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\Desktop\New folder\SeroXen.exe	N/A

Drops file in Windows directory

Description	Indicator	Process	Target
File created	C:\Windows\rescache\_merged\1847152663\4105898438.pri	C:\Users\Admin\Desktop\New folder\SeroXen.exe	N/A

Modifies registry class

Description	Indicator	Process	Target
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	C:\Program Files\7-Zip\7zFM.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	C:\Program Files\7-Zip\7zFM.exe	N/A

Suspicious behavior: GetForegroundWindowSpam

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files\7-Zip\7zFM.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeRestorePrivilege	N/A	C:\Program Files\7-Zip\7zFM.exe	N/A
Token: 35	N/A	C:\Program Files\7-Zip\7zFM.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Program Files\7-Zip\7zFM.exe	N/A

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files\7-Zip\7zFM.exe	N/A
N/A	N/A	C:\Program Files\7-Zip\7zFM.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\Desktop\New folder\SeroXen.exe	N/A
N/A	N/A	C:\Users\Admin\Desktop\New folder\SeroXen.exe	N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SeroXen.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SeroXen.zip"

C:\Users\Admin\Desktop\New folder\SeroXen.exe

"C:\Users\Admin\Desktop\New folder\SeroXen.exe"

Network

Country	Destination	Domain	Proto
US	199.232.210.172:80		tcp
US	199.232.210.172:80		tcp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	auth.patched.to	udp
US	104.26.15.16:443	auth.patched.to	tcp
US	8.8.8.8:53	16.15.26.104.in-addr.arpa	udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5	ac4b20a781fe9996d0e4d62043f8c63b
SHA1	844a5b02f46fc207c6e35e9724ed5b24470b029a
SHA256	e88b5a6405f9b5abfb83f5bb2538ec4146b345c46a0f119490fcb6267dc3f14d
SHA512	d85efb126ae2d1498e6812b09bcbd79cb168292930c95f023f3f05a3347325e81d567e3b00f0c01e2a91b0a0a5adbf5d340d049324c5bc764d2542d65943f0b2

C:\Users\Admin\Desktop\New folder\SeroXen.exe

MD5	89a7d73bad622bbd0b9dfb8e80f8c42e
SHA1	f1ac96f1d956254c6b2209f457355da89c987d8f
SHA256	7cb37cd110a388998ce95819da915446331f614a5da8d5cfeed953812ada23f1
SHA512	760e8e7087ac107ec9e12caaa26968142ddd62ddd82d0e6abfcaa35de8f03917323e97147e72b63fb3dca27756726f4f8fa68f89f9e5acc70898c4c4b0a7bdd0

memory/5096-76-0x000001D32CBD0000-0x000001D32F264000-memory.dmp

C:\Users\Admin\Desktop\New folder\Renci.SshNet.dll

MD5	38cd4058d861c08800a2a52ab41f929d
SHA1	9f5f747f2bd6bcb75ff2935833c617718fbe39cb
SHA256	57e8f49f8347c5e9444c138846a85868c52829b8ee99f0bde905e4fb3127339f
SHA512	3e0761550179952e60263ecbe803f0fd3ed32c03712e36e4f6cde53d1a039869bb210d04c1c1bda235226d362dc93d290e7f42291822b5daea4247070a891435

memory/5096-78-0x000001D349960000-0x000001D349A2A000-memory.dmp

\Users\Admin\AppData\Local\Temp\e598627d-8851-4529-8c98-58e978071e98\C5VM64.dll

MD5	e3bd88b3c3e9b33dfa72c814f8826cff
SHA1	6d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA256	28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512	fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

memory/5096-85-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp

memory/5096-86-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp

memory/5096-87-0x00007FF861470000-0x00007FF86159C000-memory.dmp

C:\Users\Admin\Desktop\New folder\C5VM.dll

MD5	37691c7533a9327f520ebe21faa72191
SHA1	328ba7fe8627883bc3e31b7bf1cd317b442a4c08
SHA256	de6f08708b8bc6562828c7787769d14752b2c1ab0b0e9b34b1ed44987bd2f842
SHA512	b6334eba7103a986d4e2c12b38f34d084ce8d6b986ccb9775ec5d623b988546ce97308ddeb0239a5ec25e9d5782a27c777af7f89e757fdd35047723c4a0afdb4

memory/5096-93-0x000001D330F80000-0x000001D330FAC000-memory.dmp

\Users\Admin\Desktop\New folder\SeroXenPTO.bin

MD5	839acc7894ecd3b706277a7c754d1ab3
SHA1	03ceb5f2f82b4e2f6a1b41da9300564d78e0b13d
SHA256	a601e5352480503c69e2baa53c589a40881051965b4220bed1c17a5b36735b35
SHA512	46a713c005b2acc8db03023c63073603fc4a10e578429fe3783279e739b57942892ef5332e8ecf72e7157c50ee02ab1f10a3e681399e72b83714730f945314fd

memory/5096-94-0x000001D330FB0000-0x000001D330FD2000-memory.dmp

memory/5096-89-0x000001D349ED0000-0x000001D349FE4000-memory.dmp

\Users\Admin\Desktop\New folder\PTOAuth.dll

MD5	ced7e9cdea3c1dceedab64214c6dcb83
SHA1	73da7147478f83db810de4680e1e4fad13281a93
SHA256	4287556856619243ab4546046cea447e2481b2e7a1e7a26855f28d49918bfd87
SHA512	dee3a60236f044b7bee7baa384db5b9ecaa291d83583fa40cbac561e1419a481901a728d632653c150d5588ed29336fd64473e5ec5dbf11e7ca294c8dd278faf

memory/5096-97-0x00007FF85B430000-0x00007FF85B922000-memory.dmp

memory/5096-103-0x000001D34B880000-0x000001D34B921000-memory.dmp

memory/5096-104-0x000001D34B930000-0x000001D34B9A1000-memory.dmp

memory/5096-102-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp

memory/5096-114-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp

memory/5096-123-0x000001D34BDF0000-0x000001D34BE61000-memory.dmp

memory/5096-122-0x000001D34B900000-0x000001D34B9A1000-memory.dmp

memory/5096-121-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp

memory/5096-125-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 08:01

Reported

2024-06-15 08:36

Platform

win7-20240221-en

Max time kernel

1565s

Max time network

1568s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SeroXen.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SeroXen.zip

Network

N/A

Files

N/A

Sample ID	240615-jw3cmatamg
Target	SeroXen.zip
SHA256	f2a22a1b44253073cda975e57ee937304a434538f4df0942a65b25889f0fa24b
Tags	quasar evasion spyware themida trojan

Malware Analysis Report

2024-08-06 11:23

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files