Analysis
-
max time kernel
135s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 17:10
Static task
static1
Behavioral task
behavioral1
Sample
bad.exe
Resource
win7-20240704-en
General
-
Target
bad.exe
-
Size
3.7MB
-
MD5
8b88af81c33011a8f0fd7706034e0208
-
SHA1
12505464442bd35acbb62bbcdb48fb031823ff01
-
SHA256
2ab87351f388e10ff472ca538d58100cbeb401b7cde14f587ef53a9887154db7
-
SHA512
a73e26aa9ada2653597965ece64ec5f0469b925d31df4cc0942fadacdd910d2d2e0bf4065cb82a65a07ec0e23ccc7360f0eecda76f1a5f6a4deda1b1b07521c5
-
SSDEEP
24576:s01wsus40AuwA6/sykLsGaQW1A5Oax6X8D9GOrVjJjNWmFe+Txy7z96/AMfm4A:osPUkLsEW1A5bxV9DRPFesNA
Malware Config
Extracted
quasar
2.8.0.1
Estocolmo
142.4.197.81:5555
8TII29t58WcKMPIhVq
-
encryption_key
ZQWZ9ZhoK5A8EFF0xXlY
-
install_name
Venom.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral2/memory/3960-8-0x0000000000400000-0x00000000004EC000-memory.dmp family_quasar behavioral2/memory/3960-7-0x0000000000400000-0x00000000004EC000-memory.dmp family_quasar behavioral2/memory/3960-6-0x0000000000400000-0x00000000004EC000-memory.dmp family_quasar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1404 set thread context of 3960 1404 bad.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bad.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3960 bad.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1404 wrote to memory of 3960 1404 bad.exe 85 PID 1404 wrote to memory of 3960 1404 bad.exe 85 PID 1404 wrote to memory of 3960 1404 bad.exe 85 PID 1404 wrote to memory of 3960 1404 bad.exe 85 PID 1404 wrote to memory of 3960 1404 bad.exe 85 PID 1404 wrote to memory of 3960 1404 bad.exe 85 PID 1404 wrote to memory of 3960 1404 bad.exe 85 PID 1404 wrote to memory of 3960 1404 bad.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\bad.exe"C:\Users\Admin\AppData\Local\Temp\bad.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\bad.exe"C:\Users\Admin\AppData\Local\Temp\bad.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3960
-