Overview

overview

10

Static

static

10

TikTokBot.exe

windows7-x64

10

TikTokBot.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TikTokBot.exe

  • Size

    534KB

  • Sample

    240911-v2he7atdqd

  • MD5

    22916453f988c9660b4c7c12b7e021b3

  • SHA1

    f662549f7d5fb24fe72c2f5f82e1d661b9efcdff

  • SHA256

    5bdd21c031e8d79b4bd9fc49dbb612d8a24fc652cf6df24c0fcb473c5abcfed8

  • SHA512

    7df8cb2fc2b4da6f99e53fb7496621fcb6c4cba7c8ecd40ae763ac5ac6c599520339465337b7b7e4bccf988701af7a87055377187c63d41ae60d7f0f291f6c65

  • SSDEEP

    6144:l8fGxBIgrx8kFYLTiMkbCs0KrTXLYzAR7bloVhfSP8tTsKv8CZ45uusDGy3V8/GR:BPx7FYPiMTsLXczA2tS2sKUCBujq

Score
10/10
quasarvenomratslavediscoveryevasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Slave

C2

eu-west-36307.packetriot.net:22471

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    uKN8xUJGqzjjCLO8arNy

  • install_name

    Mm2Dupe.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    SubDir

Targets

    • Target

      TikTokBot.exe

    • Size

      534KB

    • MD5

      22916453f988c9660b4c7c12b7e021b3

    • SHA1

      f662549f7d5fb24fe72c2f5f82e1d661b9efcdff

    • SHA256

      5bdd21c031e8d79b4bd9fc49dbb612d8a24fc652cf6df24c0fcb473c5abcfed8

    • SHA512

      7df8cb2fc2b4da6f99e53fb7496621fcb6c4cba7c8ecd40ae763ac5ac6c599520339465337b7b7e4bccf988701af7a87055377187c63d41ae60d7f0f291f6c65

    • SSDEEP

      6144:l8fGxBIgrx8kFYLTiMkbCs0KrTXLYzAR7bloVhfSP8tTsKv8CZ45uusDGy3V8/GR:BPx7FYPiMTsLXczA2tS2sKUCBujq

    Score
    10/10
    quasarvenomratslavediscoveryevasionratrootkitspywarestealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

      ratrootkitstealervenomrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks