Resubmissions
17/08/2024, 18:47
240817-xfhvya1bnh 10General
-
Target
https://github.com/zoniccracks/X-Worm-V5
-
Sample
240817-xfhvya1bnh
Malware Config
Extracted
quasar
1.0.0.0
v3.0.0 | Slave
147.185.221.17:25792
92d55a7d-fa9d-4687-a639-1c17ad82e127
-
encryption_key
AAADD171AFB4583A86B8E61A97433E10C4015A71
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
Targets
-
-
Target
https://github.com/zoniccracks/X-Worm-V5
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
AgentTesla payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Window
1Impair Defenses
1Safe Mode Boot
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
1