Overview

overview

10

Static

static

3

Wave/Crack...re.dll

windows7-x64

3

Wave/Crack...re.dll

windows10-2004-x64

3

Wave/Crack...ss.exe

windows7-x64

3

Wave/Crack...ss.exe

windows10-2004-x64

3

Wave/Crack...me.dll

windows7-x64

3

Wave/Crack...me.dll

windows10-2004-x64

3

Wave/Crack...re.dll

windows7-x64

1

Wave/Crack...re.dll

windows10-2004-x64

1

Wave/Crack...pf.dll

windows7-x64

1

Wave/Crack...pf.dll

windows10-2004-x64

1

Wave/Crack...rp.dll

windows7-x64

1

Wave/Crack...rp.dll

windows10-2004-x64

1

Wave/Crack...ve.exe

windows7-x64

7

Wave/Crack...ve.exe

windows10-2004-x64

10

Wave/Crack...er.exe

windows7-x64

3

Wave/Crack...er.exe

windows10-2004-x64

3

Wave/Crack...nd.mp4

windows7-x64

1

Wave/Crack...nd.mp4

windows10-2004-x64

6

Wave/Crack...z4.dll

windows7-x64

1

Wave/Crack...z4.dll

windows10-2004-x64

1

Wave/Crack...sl.dll

windows7-x64

1

Wave/Crack...sl.dll

windows10-2004-x64

1

Wave/Crack...sh.dll

windows7-x64

1

Wave/Crack...sh.dll

windows10-2004-x64

1

Wave/Crack...b1.dll

windows7-x64

1

Wave/Crack...b1.dll

windows10-2004-x64

1

Wave/Crack...td.dll

windows7-x64

1

Wave/Crack...td.dll

windows10-2004-x64

1

Wave/Crack...nt.pak

windows7-x64

3

Wave/Crack...nt.pak

windows10-2004-x64

3

Wave/Crack...nt.pak

windows7-x64

3

Wave/Crack...nt.pak

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Wave.rar

  • Size

    106.0MB

  • Sample

    240723-vxztns1brr

  • MD5

    b81d72f4a8fe557eb9870b7a2a2aeca9

  • SHA1

    ac5df08a8c465c524bb7f2ef6af0eda93964e0ef

  • SHA256

    34e141c88f20dffe25bf118a427415ce55cbc123848a2f6d2d5ccfe390a746ec

  • SHA512

    2db1928eac847b396577e0aa7922b8094bea60656e353d7e88a67e7a75a303abcfb9f8b5285b6c19b823adfedd3f8baa14217b112d392f9eaf7bced699ef2cde

  • SSDEEP

    3145728:wJn/PvgNMifChclQRJDJTfuH1DCDiVqmeNolQWRU1NZ:wZpXDtWH1OOcSRRqz

Score
10/10
quasarumbralsteamcredential_accessdefense_evasiondiscoveryexecutionpyinstallerspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Steam

C2

20.ip.gl.ply.gg:55257

Mutex

15d4edb7-40c0-4a95-9dc8-8fe93071bce0

Attributes
  • encryption_key

    F1B995FFCFBEAA3218870A13F82413DC65D82218

  • install_name

    Steam.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    SteamClient

  • subdirectory

    %appdata%

Targets

    • Target

      Wave/CrackedWave/CefSharp.BrowserSubprocess.Core.dll

    • Size

      915KB

    • MD5

      100c32f77e68a2ce962e1a28997567ea

    • SHA1

      a80a1f4019b8d44df6b5833fb0c51b929fa79843

    • SHA256

      c0b9e29b240d8328f2f9a29ca0298ca4d967a926f3174a3442c3730c00d5a926

    • SHA512

      f95530ef439fa5c4e3bc02db249b6a76e9d56849816ead83c9cd9bcd49d3443ccb88651d829165c98a67af40b3ef02b922971114f29c5c735e662ca35c0fb6ed

    • SSDEEP

      24576:PkwmtUw8kMmxuUjB7v/jFAGGUY9Wis0veKCZ2ZiVBhEDssQjPc8DnXoSiW+YfDxN:PrOer9Wis0veKCZ2ZiVBhEDssQjPc8DT

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      Wave/CrackedWave/CefSharp.BrowserSubprocess.exe

    • Size

      7KB

    • MD5

      516ff62b2e1f4642caa954c0968719e8

    • SHA1

      e349d0ce82e2109dd0d18416d9cf46e8411b7f15

    • SHA256

      19da58849cec5933860116e60a1e94b08e30d90e0f955768270b47998d612045

    • SHA512

      7aa4a0c87b29c2a84f585a884d8208fc2352a43f2cdb549c100e3b121837ad5f8dadb1101f57d1d3fcb7ebec9d9f22e07dc14239b7d2e2d25793c999becf288b

    • SSDEEP

      96:VpZxBI7kRTmQBDvTR/GNHAeFZZetmArNt61OYcXe5U:XBIYTmQBHRsHAeFZKsAYcXeS

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      Wave/CrackedWave/CefSharp.Core.Runtime.dll

    • Size

      1.3MB

    • MD5

      09cba584aa0aae9fc600745567393ef6

    • SHA1

      bbd1f93cb0db9cf9e01071b3bed1b4afd6e31279

    • SHA256

      0babd84d4e7dc2713e7265d5ac25a3c28d412e705870cded6f5c7c550a5bf8d5

    • SHA512

      5f914fa33a63a6d4b46f39c7279687f313728fd5f8437ec592369a2da3256ccff6f325f78ace0e6d3a2c37da1f681058556f7603da13c45b03f2808f779d2aa1

    • SSDEEP

      24576:5Ac2t6Twn/0ke6ruDPMY0BQJzTzAC991g44ekgpqc4CQKZi5P9xh0gsWLgiHesms:q6TmQJrXg44ekgpqc4CQKZi5P9xh0gsI

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      Wave/CrackedWave/CefSharp.Core.dll

    • Size

      898KB

    • MD5

      1bb24b22d9bd996c038d26b600ed18a8

    • SHA1

      c2629a8a26c9c0969501923f84874838087cca2b

    • SHA256

      944b987a0b677d354e24ee15bba65f73b0f051338f576234a975a49493399873

    • SHA512

      38578e0d1a39ccc9851ff80d3a0f5342a34303229e2898c3ca32dad11017d4277720f54b472c2f1a0b73f47d5ba6352aa7be8ae2ed72b3b25a01dd8292591421

    • SSDEEP

      6144:f6tY8dWKH9OxlAADuyszmqcRePgvoMtkjmIfLtfTPxrnQGf4YsFZtFCiHF9/zZgl:fW9OJopjjtrJTA/4iHfbaRWt

    Score
    1/10
    behavioral7behavioral8

    • Target

      Wave/CrackedWave/CefSharp.Wpf.dll

    • Size

      114KB

    • MD5

      ceaf0bad83fac8ce71853cd820e4ed9d

    • SHA1

      4eed686fbba7d4603b596fb8e494b8f452a05886

    • SHA256

      eaced1f76adb8ee756033baee29a47b1f4d4b657ebd105a7e25c8dc4fbc48cba

    • SHA512

      4ed3f83e797eade8f0d1c6b80ce49d18f00daaf5d69421a4920e3cea2e7d78c3622193ca65b6ab1dab14c57e7f893a7b1edb27b83f343ea4df731d80aa21ff82

    • SSDEEP

      3072:GtXa7DS3PzVafuE92oNf1VmVg1s0cOm5RpE:GtK7DS3PzVafuEUNVg1fI

    Score
    1/10
    behavioral10behavioral9

    • Target

      Wave/CrackedWave/CefSharp.dll

    • Size

      272KB

    • MD5

      9ca06a8f9e5f7239ca225ab810274023

    • SHA1

      e1a219f567a7b7d3af9386df51b14c76e769c044

    • SHA256

      5fd00ae3e83e6ca156647ff6df87b49ffc7cad47c23fe3ae07c067c5adf6f74a

    • SHA512

      430c9bceed5439b987d5bd4840cfe32411ca61594f18597aca1948aa39a22c9d70beadf3bb9b1dd0373f81a94a25dcba17fa8e8c73abf06cba28d0971d5614c5

    • SSDEEP

      3072:T79yn4ZKvXBctaKCCVEB3+yggNk5KolWEuJoyS5Vg00OKMlUtrz+pyUU2jCGqkp:5KfBuzVM37xEuJoJg00jMlY+pmD+

    Score
    1/10
    behavioral11behavioral12

    • Target

      Wave/CrackedWave/CrackedWave.exe

    • Size

      17.7MB

    • MD5

      5d2ef5bc98a7c487c6a6b05a9e60db9c

    • SHA1

      ff805987e2cf3a90d09ed4a32013a6e86344768c

    • SHA256

      ecaceebf2b28b741603a75bbc8dce0f089b0d75314b2481c06534754a0e62517

    • SHA512

      2fdbafbb48cc3713121e5215015be2727398f10e76575ffea63624ee303c60fbc388f734213c1aa75537374db96538bbf23c9939e4aa71784262f1ae2adb19bf

    • SSDEEP

      393216:BfkZgLfrx0Lx8uOMpfo/nXlujARdGv4kHkzMmsW0W3WWRqusbMGCNFxHWy:lr+Lx8uOafgn1uj0dGv4fAjBZMGyFd

    Score
    10/10
    discoverypyinstallerquasarumbralsteamcredential_accessdefense_evasionexecutionspywarestealertrojan

    • Detect Umbral payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral13behavioral14

    • Target

      Wave/CrackedWave/WaveBootstrapper.exe

    • Size

      949KB

    • MD5

      8fb51b92d496c6765f7ba44e6d4a8990

    • SHA1

      d3e5a8465622cd5adae05babeb7e34b2b5c777d7

    • SHA256

      ab49d6166a285b747e5f279620ab9cea12f33f7656d732aa75900fcb981a5394

    • SHA512

      20de93a52fff7b092cb9d77bd26944abed5f5cb67146e6d2d70be6a431283b6de52eb37a0e13dc8bc57dcf8be2d5a95b9c11b3b030a3e2f03dd6e4efc23527a6

    • SSDEEP

      24576:yviinbTwyFoBnDI0BNZRQM+tkMkAamtES1inzTU:PinbTha/NHR+tkJs1inzT

    Score
    3/10
    discovery
    behavioral15behavioral16

    • Target

      Wave/CrackedWave/bin/Background.mp4

    • Size

      4.6MB

    • MD5

      9782180eb68f73030fe24ef6a1735932

    • SHA1

      589827fe098ba048c9f871a28db8eae3e3537ff4

    • SHA256

      3a1cbb800f8f25c2ab703ba8bfdb01e938e4143c3bc0fea8ca734fb5ba779ba7

    • SHA512

      dc768638bae2d6d47d8910252ae64a656d8a6fd88efdf24165ddce51b7afdb4acb3fddd41dfe788737a2cab4fab66174db2f0d2f48bc8669af76d1656bca8be1

    • SSDEEP

      98304:xs/6Ldccul3Wn48btjNEkPSFTaIwJ0Mt6KNY:xs/Gul3EvEmFItMkb

    Score
    6/10
    discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral17behavioral18

    • Target

      Wave/CrackedWave/bin/lz4.dll

    • Size

      117KB

    • MD5

      f7e2f224f8dbe22012c7ff20590b8770

    • SHA1

      99775e038e306a2b5f73f6e7d8d42a5799ace824

    • SHA256

      c62f829bc0f820bca6bf14b380b285a169cd1395df864bbec692f8ca31bc4e70

    • SHA512

      96d2938cd77b48e4efdc7212a92327ac5ce43ad757fcff88eb5cbd3eb2fac1bbcaa2e119881f3cb902c634db8ef16e69146ebfe972ab0ecb2cf3b769e0818f89

    • SSDEEP

      1536:FVP0R6tS1m4baJ1ocCcl+DBZD5C3gTg60bEior69ggjpA38Ajcqv:Fxy9bs1oTfBZDugTgpbEXh0A38AYk

    Score
    1/10
    behavioral19behavioral20

    • Target

      Wave/CrackedWave/bin/wolfssl.dll

    • Size

      1.2MB

    • MD5

      a396ee8375252d04da31676fe1b3ff75

    • SHA1

      57aee1e5b69a85d0e0b7d5a103ddb683f0204cce

    • SHA256

      7dc3aeda7518abb376a6932583669e7e1595a656edeae65af1397807322e8a25

    • SHA512

      ff755bed789869a8cc2adc05b7a3b234ef93997b1774cc719d506ce4dd03fcd0ed6d320a13d815e27a21ebdf99f3308ea47a8de6b9a25ca4eaa8fb4045fbb0db

    • SSDEEP

      24576:yoCqsxtqSepCBr5fFrHodqht+tmiw9P9TsdJRV5Wodh8NHmoz:3CzASep0r5fFrHoUht+tU9TsrRV5WodE

    Score
    1/10
    behavioral21behavioral22

    • Target

      Wave/CrackedWave/bin/xxhash.dll

    • Size

      45KB

    • MD5

      161bd3d60228dd16c54a927250af3e49

    • SHA1

      463243c3cc2e0bca16f3ced2c3b70c13a0e97fa6

    • SHA256

      ecb5aa2bf0ff355a7b36bb3a991264655e13e0f2c9e88b9dfa39d7fe4c5142a7

    • SHA512

      3716ce34c1e9931007f374685a6588bc355e942872e7a42eaa4c5be9a0fdc93f081a1dc5c3d8fec4a4563dbd556f4d046f7bf3d50840c02d8aa822eaca7a577b

    • SSDEEP

      768:I9otvM7DZ1LMDJdj+LVvgFlJus4zBOQdlyR0/A:I9UEDLMDJxKM0scUS

    Score
    1/10
    behavioral23behavioral24

    • Target

      Wave/CrackedWave/bin/zlib1.dll

    • Size

      87KB

    • MD5

      f6fc96cfccdd9958a157546faa4c13a9

    • SHA1

      ae8e4171a0583a761ae4428e5757daeedaf2a157

    • SHA256

      231e29c228652e9d6504e608a1cc53311e762cd4c78deb7c9ef11bc27f13d3da

    • SHA512

      fb983083b5c620616d2547a7903f8ebfd2ad52ed9bdde8264b6e555fb47644c488779d3ade52f5e601dbc31e67f40ea973f41f45af242790dc5d8a91c163c8dc

    • SSDEEP

      1536:Q7wjHHWwn1rhEzjEp70E2thqlz4bqIOcIOZFkGnd02H:QcjH2w1EjEpIq6b4SZFfndjH

    Score
    1/10
    behavioral25behavioral26

    • Target

      Wave/CrackedWave/bin/zstd.dll

    • Size

      634KB

    • MD5

      59c9f23830bfb7b4fdc81bbd1e719810

    • SHA1

      e58049c836931a22768ce2e4502b3a856e2ecd18

    • SHA256

      9c37186c40d01e0ed9a42846c66aba449be5fe6c2da18ef6794422b5fa2ff8eb

    • SHA512

      b52f1d0e764159453ddebd70665c3a43c61e963651cf671db8994c74f2dd35dcfc79b2c4d19c5e8d6c8564c824285426c1ec651b02f1956d331447e9405212ff

    • SSDEEP

      12288:iilkxK/S1adDEh1qMkUFZe8/pJcOAAqy:iilkb1adDEh1qMkYZe8/pJxAAZ

    Score
    1/10
    behavioral27behavioral28

    • Target

      Wave/CrackedWave/chrome_100_percent.pak

    • Size

      667KB

    • MD5

      ae195e80859781a20414cf5faa52db06

    • SHA1

      b18ecb5ec141415e3a210880e2b3d37470636485

    • SHA256

      9957802c0792e621f76bbdb1c630fbad519922743b5d193294804164babda552

    • SHA512

      c6fef84615fe20d1760ca496c98629feb4e533556724e9631d4282622748e7601225cf19dfb8351f4b540ae3f83785c1bcea6fe8c246cf70388e527654097c1c

    • SSDEEP

      12288:FI3H1fJxjzgsz5B0GDJQrnKs8SNP+QSsSilxNz40D+cIXgxEqoO0TehErw5:C3VBx7zEEmPLSUNz40KcUgxEqoO0TOv5

    Score
    3/10
    discovery
    behavioral29behavioral30

    • Target

      Wave/CrackedWave/chrome_200_percent.pak

    • Size

      1.0MB

    • MD5

      1abf6bad0c39d59e541f04162e744224

    • SHA1

      db93c38253338a0b85e431bd4194d9e7bddb22c6

    • SHA256

      01cb663a75f18bb2d0d800640a114f153a34bd8a5f2aa0ed7daa9b32967dc29e

    • SHA512

      945d519221d626421094316f13b818766826b3bedddab0165c041540dddadc93136e32784c0562d26a420cb29479d04d2aa317b8d605cd242e5152bf05af197e

    • SSDEEP

      24576:83zB69p5zLmmibkFR8+mZZhQumegvQtSP0KAwvdobaV26edhOLoeu5:83E53mNbkFRJmPhQRhQsP0KVvdl2jrOi

    Score
    3/10
    discovery
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

discoverypyinstaller
Score
7/10

behavioral14

quasarumbralsteamcredential_accessdefense_evasiondiscoveryexecutionpyinstallerspywarestealertrojan
Score
10/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

Score
1/10

behavioral18

discovery
Score
6/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

discovery
Score
3/10

behavioral30

Score
3/10

behavioral31

discovery
Score
3/10

behavioral32

Score
3/10