Overview

overview

10

Static

static

3

background_script.exe

windows7-x64

7

background_script.exe

windows10-2004-x64

10

background_script.pyc

windows7-x64

3

background_script.pyc

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    background_script.exe

  • Size

    10.2MB

  • Sample

    240801-chh89s1ala

  • MD5

    fe74dabc7081642914f3416aad8753bb

  • SHA1

    f662c23a38ec27398826f0bcd9d5503a1a412bbd

  • SHA256

    47a549f6c12a86000ebea99389ac5d297dcb42c9734bebcbb3bbd83a177e336e

  • SHA512

    8e45cba357b7bbd321ed37e1131f5e6b7ef9ad3234900f241db6f9e0a96853801ac5d5ab79bc08fffb96d2c518e1bd859432413d79dd86b4dc5447726bdab379

  • SSDEEP

    196608:NEahQxkEJXU3b01Kpn3V+uq+Vvp9CsXDjpf5ZkHSETM9FGcEX:uahQEL01+l+uq+VvbCEPZkyvUL

Score
10/10
quasarumbralsteamcredential_accessdefense_evasiondiscoveryexecutionpyinstallerspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Steam

C2

20.ip.gl.ply.gg:55257

Mutex

15d4edb7-40c0-4a95-9dc8-8fe93071bce0

Attributes
  • encryption_key

    F1B995FFCFBEAA3218870A13F82413DC65D82218

  • install_name

    Steam.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    SteamClient

  • subdirectory

    %appdata%

Targets

    • Target

      background_script.exe

    • Size

      10.2MB

    • MD5

      fe74dabc7081642914f3416aad8753bb

    • SHA1

      f662c23a38ec27398826f0bcd9d5503a1a412bbd

    • SHA256

      47a549f6c12a86000ebea99389ac5d297dcb42c9734bebcbb3bbd83a177e336e

    • SHA512

      8e45cba357b7bbd321ed37e1131f5e6b7ef9ad3234900f241db6f9e0a96853801ac5d5ab79bc08fffb96d2c518e1bd859432413d79dd86b4dc5447726bdab379

    • SSDEEP

      196608:NEahQxkEJXU3b01Kpn3V+uq+Vvp9CsXDjpf5ZkHSETM9FGcEX:uahQEL01+l+uq+VvbCEPZkyvUL

    Score
    10/10
    quasarumbralsteamcredential_accessdefense_evasiondiscoveryexecutionpyinstallerspywarestealertrojan

    • Detect Umbral payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral1behavioral2

    • Target

      background_script.pyc

    • Size

      3KB

    • MD5

      5978f68476275e7b24af869c3d2e988c

    • SHA1

      01d13971a416b1c03cfc6dd5e66c5ee69336b90d

    • SHA256

      e7dd84c0772b3feb0da7952984ce2e2ba1241d2804841303601699aeb855e1d7

    • SHA512

      1796c933aa77aa36d9c4daf42ea2290c2a0e341792c0852870a44e9d8fe38ae09e069ad462fcb96f68023f76f6a9c42915d60706bd8ae181c5332c78e45758ee

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks