Overview

overview

10

Static

static

3

CrackedWave.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CrackedWave.exe

  • Size

    17.7MB

  • Sample

    240719-q76bzsvaqr

  • MD5

    5d2ef5bc98a7c487c6a6b05a9e60db9c

  • SHA1

    ff805987e2cf3a90d09ed4a32013a6e86344768c

  • SHA256

    ecaceebf2b28b741603a75bbc8dce0f089b0d75314b2481c06534754a0e62517

  • SHA512

    2fdbafbb48cc3713121e5215015be2727398f10e76575ffea63624ee303c60fbc388f734213c1aa75537374db96538bbf23c9939e4aa71784262f1ae2adb19bf

  • SSDEEP

    393216:BfkZgLfrx0Lx8uOMpfo/nXlujARdGv4kHkzMmsW0W3WWRqusbMGCNFxHWy:lr+Lx8uOafgn1uj0dGv4fAjBZMGyFd

Score
10/10
quasarumbralsteamdefense_evasionexecutionpyinstallerspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Steam

C2

20.ip.gl.ply.gg:55257

Mutex

15d4edb7-40c0-4a95-9dc8-8fe93071bce0

Attributes
  • encryption_key

    F1B995FFCFBEAA3218870A13F82413DC65D82218

  • install_name

    Steam.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    SteamClient

  • subdirectory

    %appdata%

Targets

    • Target

      CrackedWave.exe

    • Size

      17.7MB

    • MD5

      5d2ef5bc98a7c487c6a6b05a9e60db9c

    • SHA1

      ff805987e2cf3a90d09ed4a32013a6e86344768c

    • SHA256

      ecaceebf2b28b741603a75bbc8dce0f089b0d75314b2481c06534754a0e62517

    • SHA512

      2fdbafbb48cc3713121e5215015be2727398f10e76575ffea63624ee303c60fbc388f734213c1aa75537374db96538bbf23c9939e4aa71784262f1ae2adb19bf

    • SSDEEP

      393216:BfkZgLfrx0Lx8uOMpfo/nXlujARdGv4kHkzMmsW0W3WWRqusbMGCNFxHWy:lr+Lx8uOafgn1uj0dGv4fAjBZMGyFd

    Score
    10/10
    quasarumbralsteamdefense_evasionexecutionpyinstallerspywarestealertrojan

    • Detect Umbral payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks