Overview

overview

10

Static

static

10

7_zip_installer.exe

windows7-x64

8

CHOCORAT.exe

windows7-x64

10

ChrisMessage.exe

windows7-x64

1

Free Porn.exe

windows7-x64

1

Gay Porn Mailer.exe

windows7-x64

1

GottaWork.exe

windows7-x64

PleaseWork.exe

windows7-x64

THING.exe

windows7-x64

7

Technoturn...AT.exe

windows7-x64

1

Verified by Visa.exe

windows7-x64

10

abwsx1.exe

windows7-x64

7

eee.exe

windows7-x64

1

hypno.exe

windows7-x64

8

mbam-setup...00.exe

windows7-x64

8

molesto.exe

windows7-x64

1

runme.exe

windows7-x64

7

setup.exe

windows7-x64

3

sevgi.exe

windows7-x64

6

shrek.exe

windows7-x64

8

upnp.exe

windows7-x64

7

virus.exe

windows7-x64

10

vmdestroyer.exe

windows7-x64

7

Analysis

  • max time kernel
    279s
  • max time network
    292s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2024 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CHOCORAT.exe

  • Size

    690KB

  • MD5

    01eb0af08528a0ea0e9497a3b6152e06

  • SHA1

    0ccc8c1d222c5b3975844155edebc34136704dbe

  • SHA256

    576e11eee6d61199ea29fbb0106867913c2e4f22822eb3806df3076ebd15f7d6

  • SHA512

    e30511c2c8fad9cb39ff43c6021ca8b0136c27bf1b0c08d5dad2b37e5268373b371a2965cab9cd86530a41862988b21aa28fc28ed201bf07c95012c5121f976c

  • SSDEEP

    6144:CaaXMzUmOZoq2ZeiOwAbPQiMtCNeI8MyllmjbO:Rachq1wcQPtzM6snO

Score
10/10
quasarpersistencespywaretrojan

Malware Config

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CHOCORAT.exe
    "C:\Users\Admin\AppData\Local\Temp\CHOCORAT.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Users\Admin\AppData\Roaming\wininit.exe
      "C:\Users\Admin\AppData\Roaming\wininit.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\wininit.exe
    Filesize

    690KB

    MD5

    01eb0af08528a0ea0e9497a3b6152e06

    SHA1

    0ccc8c1d222c5b3975844155edebc34136704dbe

    SHA256

    576e11eee6d61199ea29fbb0106867913c2e4f22822eb3806df3076ebd15f7d6

    SHA512

    e30511c2c8fad9cb39ff43c6021ca8b0136c27bf1b0c08d5dad2b37e5268373b371a2965cab9cd86530a41862988b21aa28fc28ed201bf07c95012c5121f976c

    Download Submit

  • memory/1892-0-0x000000007450E000-0x000000007450F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1892-1-0x00000000002B0000-0x0000000000362000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1892-2-0x0000000074500000-0x0000000074BEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1892-12-0x0000000074500000-0x0000000074BEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2516-10-0x0000000000B30000-0x0000000000BE2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2516-11-0x0000000074500000-0x0000000074BEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2516-13-0x0000000074500000-0x0000000074BEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2516-15-0x0000000074500000-0x0000000074BEE000-memory.dmp

    Filesize

    6.9MB

    Download