Overview

overview

10

Static

static

1

Intel.exe

windows11-21h2-x64

10

Resubmissions

18-06-2024 21:43

240618-1kw5xa1gkk 10

18-06-2024 21:20

240618-z63dda1djl 3

Analysis

  • max time kernel
    136s
  • max time network
    154s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-06-2024 21:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Intel.exe

  • Size

    872KB

  • MD5

    6ee7ddebff0a2b78c7ac30f6e00d1d11

  • SHA1

    f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

  • SHA256

    865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

  • SHA512

    57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

  • SSDEEP

    12288:DpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31troPTdFqgaAV2M0L:DT3E53Myyzl0hMf1te7xaA8M0L

Score
10/10
asyncratquasarspexeratspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SPEXE

C2

ethers.securitytactics.com:4781

Mutex

3b0f6830-7a38-466c-bc81-2c8654842aa8

Attributes
  • encryption_key

    E6F8B3AE067EDE18BEA401CF4082AEFD2C5DA9BC

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

SPEXE

C2

ethers.securitytactics.com:6606

ethers.securitytactics.com:7707

ethers.securitytactics.com:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3348
      • C:\Users\Admin\AppData\Local\Temp\Intel.exe
        "C:\Users\Admin\AppData\Local\Temp\Intel.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2684
      • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
        C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1004
      • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
        C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3532

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
      Filesize

      14KB

      MD5

      cc474f328c7743aa4598460bae06c6f6

      SHA1

      0a1bc1534f53600669738aedaabf92772f1faa8e

      SHA256

      106e2a8aec59ec64a650aa7c8bcb40cd5b807e0449d474f5fffc94c1612020ec

      SHA512

      02521af5b36c9fbf1f6d15fe7083b0a505875931cf0bd5e66d98f8cc8ad93f94c58f051c0752d28f1ce753fe4d18ac4f152f04226f91595620bce8ffaa8c3908

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      Filesize

      63KB

      MD5

      42ab6e035df99a43dbb879c86b620b91

      SHA1

      c6e116569d17d8142dbb217b1f8bfa95bc148c38

      SHA256

      53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b

      SHA512

      2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5

      Download Submit
    • memory/1004-23-0x00000000064E0000-0x0000000006592000-memory.dmp
      Filesize

      712KB

      Download
    • memory/1004-34-0x00000000056C0000-0x00000000056D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1004-26-0x0000000007870000-0x0000000007882000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1004-16-0x000000007208E000-0x000000007208F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1004-17-0x0000000005B90000-0x0000000006136000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1004-18-0x00000000056D0000-0x0000000005762000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1004-19-0x00000000056C0000-0x00000000056D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1004-20-0x0000000005690000-0x000000000569A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1004-27-0x00000000078D0000-0x000000000790C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1004-22-0x0000000006270000-0x00000000062C0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1004-13-0x0000000000C30000-0x0000000000F54000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1004-33-0x000000007208E000-0x000000007208F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1004-21-0x0000000006760000-0x0000000006D78000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1004-28-0x0000000007980000-0x00000000079E6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1004-31-0x00000000085D0000-0x0000000008AFC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/2684-11-0x0000000000C60000-0x0000000000C61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2684-9-0x0000000077C31000-0x0000000077D53000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3532-42-0x0000000002FB0000-0x0000000002FCE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3532-35-0x0000000000FD0000-0x0000000000FE6000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3532-39-0x00000000068B0000-0x000000000694C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3532-40-0x0000000002FD0000-0x0000000003046000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3532-41-0x0000000002F50000-0x0000000002F5E000-memory.dmp
      Filesize

      56KB

      Download