Overview

overview

10

Static

static

10

SeroXenLauncher.exe

windows7-x64

10

SeroXenLauncher.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    02-07-2024 00:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SeroXenLauncher.exe

  • Size

    409KB

  • MD5

    54d920888e6066870191f44fe0b27206

  • SHA1

    87feb8a460dd1dc736fc96fbfbe37bf67aed2c3e

  • SHA256

    5416eb9ce7028292f5810ab8acec85ab7cd55503bcdf097f3e2ce2a900577797

  • SHA512

    4b23903103954c5d491eedc1c77fec1fea32552b9b863ada312b75388a9a56d38573851d2f6edaf61444fb0549196b1e9310cb6fa4e1773b9bf65291d5e2f72d

  • SSDEEP

    6144:EM7Cp8XlizQNOa/YzLU+RefWtEOag0vQUvb3pOMZ97iJcfaohEt2+4nQQ:4pQl4QR/2LU+RefW7qg27iC+t0nQQ

Score
10/10
quasarumbralseroxenexecutionspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

127.0.0.1:4782

browser-julia.gl.at.ply.gg:54488
Mutex

$Sxr-GV6wZsGZZMeZ3qfenc

Attributes
  • encryption_key

    KH74MFPau2OXY0OqPzU8

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1257452635888423017/-MpHtN8_KQyb61HJqaai1yrkmHQG75b_w1I_FDSgXUCXHSAsskj1fAM-GezxYcBKnRgl

Signatures

  • Detect Umbral payload 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 5 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2392
    • C:\Windows\SysWOW64\SubDir\Client.exe
      "C:\Windows\SysWOW64\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1128
      • C:\Users\Admin\AppData\Local\Temp\0qvKpKh1rzyY.exe
        "C:\Users\Admin\AppData\Local\Temp\0qvKpKh1rzyY.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2328
        • C:\Windows\system32\attrib.exe
          "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\0qvKpKh1rzyY.exe"
          4⤵
          • Views/modifies file attributes
          PID:1604
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0qvKpKh1rzyY.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1656
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:824
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2212
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1480
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:328
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          4⤵
            PID:2356
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            4⤵
              PID:1792
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:600
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              4⤵
              • Detects videocard installed
              PID:964
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\0qvKpKh1rzyY.exe" && pause
              4⤵
                PID:1984
                • C:\Windows\system32\PING.EXE
                  ping localhost
                  5⤵
                  • Runs ping.exe
                  PID:944
            • C:\Users\Admin\AppData\Local\Temp\8OHR20XSEmaa.bat
              "C:\Users\Admin\AppData\Local\Temp\8OHR20XSEmaa.bat"
              3⤵
              • Executes dropped EXE
              PID:2456
              • C:\Windows\SysWOW64\SCHTASKS.exe
                "SCHTASKS.exe" /create /tn "$778OHR20XSEmaa.bat" /tr "'C:\Users\Admin\AppData\Local\Temp\8OHR20XSEmaa.bat'" /sc onlogon /rl HIGHEST
                4⤵
                • Scheduled Task/Job: Scheduled Task
                PID:872
          • C:\Windows\SysWOW64\SCHTASKS.exe
            "SCHTASKS.exe" /create /tn "$77SeroXenLauncher.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\SeroXenLauncher.exe'" /sc onlogon /rl HIGHEST
            2⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2080

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\8OHR20XSEmaa.bat
          Filesize

          319KB

          MD5

          0c7336131c6cab639709f528d0a918b3

          SHA1

          acf92382d5318d0b09192b9c16127dd45c33ab5f

          SHA256

          d5c029dffe5e9c71677a20dc7850c0f3e9f63c26e9f1f34d6460c43b86d3ce5e

          SHA512

          4c608f57f79aa766b7998bdb452b8da6f6cf49c7c5eedf70b56c25f0e5a3a9d4cdc7f65776f0497c8e3be19071bc59220073ca13f3a3932e5f41eba72ac688cd

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          b14e2d8721da545b5d5835c197c8aaa8

          SHA1

          44b119a88c631a9d1f6310b193dbb930e43060a1

          SHA256

          2eb6fb48fb16c0d6d5b0a4e7c4e3493bbacac3f1cdffbbd411e2c890af231860

          SHA512

          516ec12918ad13e50dc2e47f693deeb3a11ddbc32d027f2895ddb4f5e63858bfcc3fa6dd33e6e5a98d1f92e0d2203adfcfdc483c6486a0a4fa97e9db3f16b747

          Download Submit

        • \Users\Admin\AppData\Local\Temp\0qvKpKh1rzyY.exe
          Filesize

          231KB

          MD5

          ba3e0c4b34603ac162dd8e405edf8e0c

          SHA1

          5c313bcebdf01c4f7338e60a9c45f9ec71eddc35

          SHA256

          706b970e2f91391d7a3b270cefdd350c8c195afb5ee774cd74a06bda2e1e0b60

          SHA512

          a62c8219ab1cf49474375b02ce7827488ac9512dac91d6d2c32112260ad33315c88fc25f62570d09e7662e2e660e37b23bef57b5d55ac1abd5d1f685e76ea695

          Download Submit

        • \Users\Admin\AppData\Local\Temp\8OHR20XSEmaa.bat
          Filesize

          409KB

          MD5

          fc51dabe5c87dd05143a263355e3886d

          SHA1

          1e40305ea3d0a6230ddd475e38be53d9129381c8

          SHA256

          f60075eaa6a46c80a5a3b6bdb669cd4a3b05ec58767bca6a5121dc4f50b178cd

          SHA512

          c2f963b86147bb28773293709dd04b40c1e37bd014ad2f1544aec924f22b27dc1feca90d34b656afd49356f1610c1d3bd5a2116cd53b1e47a5e11e50127ee904

          Download Submit

        • \Windows\SysWOW64\SubDir\Client.exe
          Filesize

          409KB

          MD5

          54d920888e6066870191f44fe0b27206

          SHA1

          87feb8a460dd1dc736fc96fbfbe37bf67aed2c3e

          SHA256

          5416eb9ce7028292f5810ab8acec85ab7cd55503bcdf097f3e2ce2a900577797

          SHA512

          4b23903103954c5d491eedc1c77fec1fea32552b9b863ada312b75388a9a56d38573851d2f6edaf61444fb0549196b1e9310cb6fa4e1773b9bf65291d5e2f72d

          Download Submit

        • memory/824-36-0x000000001B5B0000-0x000000001B892000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/824-37-0x00000000028E0000-0x00000000028E8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1656-30-0x0000000002810000-0x0000000002818000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1656-29-0x000000001B4A0000-0x000000001B782000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2424-13-0x0000000074490000-0x0000000074B7E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2424-0-0x000000007449E000-0x000000007449F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2424-2-0x0000000074490000-0x0000000074B7E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2424-1-0x0000000001380000-0x00000000013EC000-memory.dmp

          Filesize

          432KB

          Download

        • memory/2456-83-0x0000000001090000-0x00000000010FC000-memory.dmp

          Filesize

          432KB

          Download

        • memory/2668-15-0x0000000074490000-0x0000000074B7E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2668-11-0x0000000074490000-0x0000000074B7E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2668-10-0x0000000000CE0000-0x0000000000D4C000-memory.dmp

          Filesize

          432KB

          Download

        • memory/2668-14-0x0000000074490000-0x0000000074B7E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2668-9-0x0000000074490000-0x0000000074B7E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3016-24-0x0000000000370000-0x00000000003B0000-memory.dmp

          Filesize

          256KB

          Download