Resubmissions

25-08-2024 14:11

240825-rhfkpsybnb 10

25-08-2024 14:06

240825-ret9pazcpr 10

General

  • Target

    SeroXen-main.zip

  • Size

    14.7MB

  • Sample

    240825-rhfkpsybnb

  • MD5

    0a682639d15acff9fa26d868b718a70e

  • SHA1

    a87722f3d2454383bb53d63845290d065551104a

  • SHA256

    424691c17ca850f4b9d390a795b5c416f3df3c37f223c90fcc8544344ae86b5d

  • SHA512

    479163fde3bc8fe972cda20f4b0d092c51cc511ee9b3f614f62c8a87cbc21e2d6dd71e0fe62d3932122e1706fe528bc52689ad81b5bbf270afa70164f55917d9

  • SSDEEP

    393216:ob5vzXcRjp+Chy8a8ZUvNKz5QMBYkdDBV4Xfdaup6E94D:ob1rm4Chy8avvwvBJBveQup6E9e

Malware Config

Targets

    • Target

      SeroXen-main.zip

    • Size

      14.7MB

    • MD5

      0a682639d15acff9fa26d868b718a70e

    • SHA1

      a87722f3d2454383bb53d63845290d065551104a

    • SHA256

      424691c17ca850f4b9d390a795b5c416f3df3c37f223c90fcc8544344ae86b5d

    • SHA512

      479163fde3bc8fe972cda20f4b0d092c51cc511ee9b3f614f62c8a87cbc21e2d6dd71e0fe62d3932122e1706fe528bc52689ad81b5bbf270afa70164f55917d9

    • SSDEEP

      393216:ob5vzXcRjp+Chy8a8ZUvNKz5QMBYkdDBV4Xfdaup6E94D:ob1rm4Chy8avvwvBJBveQup6E9e

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks