General
-
Target
416de11d210ae0ff50214021ff57b32b.bin
-
Size
21.3MB
-
Sample
240728-bvcrkszfkp
-
MD5
d3e62cc6b4fdba014b6ae717e9aba0fa
-
SHA1
a890d1cf1b3706ad88ea1adb327d6eeb3cf960e0
-
SHA256
af28c04f796374b21521aeb2ea9c9c12b6f468d58ebe306838836dc5d9f16f8f
-
SHA512
b5921fe2ef3df42ae50d8e0a65ddabd91a1a15354e2daff5acfb25896d476b94c47a2412b30a7649212fd4ade8cc46d2c937149bf3bce3a89007aed83d9664f6
-
SSDEEP
393216:yIXDljvF01ZSCH0P2HLmkEpTnMbHfKZ6VWGRm/cwtv3HJsIZ05mvl0jTp6ZvY4cy:/N0ni26kME/KZ6VWGRmkwtP6cmmtq2vN
Malware Config
Extracted
redline
cheat
154.81.220.233:28105
Extracted
quasar
1.4.1
themdas
auroraforge.art:55326
thesirenmika.com:55713
0cbdfe7f-0215-41e8-a7b5-d4fbbc555089
-
encryption_key
A730DFF691ED1723ED88E36A2C5E7ED5CCF91DD1
-
install_name
up2.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850.exe
-
Size
21.3MB
-
MD5
416de11d210ae0ff50214021ff57b32b
-
SHA1
3142453c18080b83d8dbdeba89524beea1c94ff3
-
SHA256
72e1fc6da0a5cfca80413b8b24a880b0688908264971cfedaf079ee52ce4d850
-
SHA512
e1f061f99e9e4e42c21269a32c9f3cfa711a8a95caf7628637d5606ae7846fc73ae982b0ee78646026c41e5c1e61e21a15829967d2fed534070e3c40e2731e4c
-
SSDEEP
393216:TYTogFuaMaKQy6SSTMX3q7wLta40K3pNPS4n+yubbcEVPxEV+aqdvx1LB1x8NFN:TYT1Fu/6SSTMq+YK3Hx+3r5Np1FL8NF
Score10/10-
Aurora
Aurora is a crypto wallet stealer written in Golang.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
-
Shurk Stealer payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-