Overview
overview
10Static
static
10AuroraALPH...2).exe
windows7-x64
10AuroraALPH...2).exe
windows10-1703-x64
10AuroraALPH...2).exe
windows10-2004-x64
10AuroraALPH...2).exe
windows11-21h2-x64
AuroraALPH...3).exe
windows7-x64
AuroraALPH...3).exe
windows10-1703-x64
10AuroraALPH...3).exe
windows10-2004-x64
AuroraALPH...3).exe
windows11-21h2-x64
10AuroraALPH...4).exe
windows7-x64
10AuroraALPH...4).exe
windows10-1703-x64
10AuroraALPH...4).exe
windows10-2004-x64
10AuroraALPH...4).exe
windows11-21h2-x64
10AuroraALPH...5).exe
windows7-x64
10AuroraALPH...5).exe
windows10-1703-x64
10AuroraALPH...5).exe
windows10-2004-x64
10AuroraALPH...5).exe
windows11-21h2-x64
10AuroraALPH...py.exe
windows7-x64
10AuroraALPH...py.exe
windows10-1703-x64
10AuroraALPH...py.exe
windows10-2004-x64
10AuroraALPH...py.exe
windows11-21h2-x64
10General
-
Target
343434.zip
-
Size
2.5MB
-
Sample
240913-xlnndatbra
-
MD5
c72bc91852793ad0fa7be4cd508ac3fc
-
SHA1
3b4e7a006419e35bacf1917fafc608ae581b0092
-
SHA256
e2e708e09031d7fa512f31ca4d6b10d0e48df7aff2a5b889477e792c6847a90c
-
SHA512
3bb4e450c342ab9cc0736a59b1391a529bcce77da5a59297ae943aba5a9393157a711cb5701b4fcfdd68d077211b32e8cac6f9627e4d46fcae033c1f24319110
-
SSDEEP
24576:JLgsYbcLgsYbNLgsYb6LgsYbcLgsYbRLgsYbF:JLTL+LRLnLALS
Behavioral task
behavioral1
Sample
AuroraALPHABUILD.0-6 - Copy (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
AuroraALPHABUILD.0-6 - Copy (2).exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
AuroraALPHABUILD.0-6 - Copy (2).exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
AuroraALPHABUILD.0-6 - Copy (2).exe
Resource
win11-20240802-en
Behavioral task
behavioral5
Sample
AuroraALPHABUILD.0-6 - Copy (3).exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
AuroraALPHABUILD.0-6 - Copy (3).exe
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
AuroraALPHABUILD.0-6 - Copy (3).exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
AuroraALPHABUILD.0-6 - Copy (3).exe
Resource
win11-20240802-en
Behavioral task
behavioral9
Sample
AuroraALPHABUILD.0-6 - Copy (4).exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
AuroraALPHABUILD.0-6 - Copy (4).exe
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
AuroraALPHABUILD.0-6 - Copy (4).exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
AuroraALPHABUILD.0-6 - Copy (4).exe
Resource
win11-20240802-en
Behavioral task
behavioral13
Sample
AuroraALPHABUILD.0-6 - Copy (5).exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
AuroraALPHABUILD.0-6 - Copy (5).exe
Resource
win10-20240404-en
Behavioral task
behavioral15
Sample
AuroraALPHABUILD.0-6 - Copy (5).exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral16
Sample
AuroraALPHABUILD.0-6 - Copy (5).exe
Resource
win11-20240802-en
Behavioral task
behavioral17
Sample
AuroraALPHABUILD.0-6 - Copy.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
AuroraALPHABUILD.0-6 - Copy.exe
Resource
win10-20240404-en
Behavioral task
behavioral19
Sample
AuroraALPHABUILD.0-6 - Copy.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
quasar
1.3.0.0
gimp1
193.42.33.210:4444
gimpdns.ddns.net:4444
QSR_MUTEX_XwuUSTCgYhmnf6vJ1L
-
encryption_key
lRzFKjYQKUKzh6RyUYYQ
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Targets
-
-
Target
AuroraALPHABUILD.0-6 - Copy (2).exe
-
Size
231.7MB
-
MD5
3cda647a8948f3ac4df14abf6f1d62c1
-
SHA1
f4da28914a3938e7de76546bcf911f539672459a
-
SHA256
c905d2c1b9df641f12daab74948cef579aa92b6f07c36f97ed70146b615411c1
-
SHA512
77c0cd078ab2d2765237c3cc68a4872a81db653f1ad6a42122b786b27c7d48842577a65e88ad61e549e13b5be0df51e25b5f026089a19833e9da71f8c30c0cdd
-
SSDEEP
6144:0MNHXf500MU8zfjEm0beDmcCl/QOqNgJyCqv7cc:Rd505jwmZmcgSNgJyrv7cc
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
AuroraALPHABUILD.0-6 - Copy (3).exe
-
Size
231.7MB
-
MD5
3cda647a8948f3ac4df14abf6f1d62c1
-
SHA1
f4da28914a3938e7de76546bcf911f539672459a
-
SHA256
c905d2c1b9df641f12daab74948cef579aa92b6f07c36f97ed70146b615411c1
-
SHA512
77c0cd078ab2d2765237c3cc68a4872a81db653f1ad6a42122b786b27c7d48842577a65e88ad61e549e13b5be0df51e25b5f026089a19833e9da71f8c30c0cdd
-
SSDEEP
6144:0MNHXf500MU8zfjEm0beDmcCl/QOqNgJyCqv7cc:Rd505jwmZmcgSNgJyrv7cc
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Remote Services: SMB/Windows Admin Shares
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
-
Drops file in System32 directory
-
-
-
Target
AuroraALPHABUILD.0-6 - Copy (4).exe
-
Size
231.7MB
-
MD5
3cda647a8948f3ac4df14abf6f1d62c1
-
SHA1
f4da28914a3938e7de76546bcf911f539672459a
-
SHA256
c905d2c1b9df641f12daab74948cef579aa92b6f07c36f97ed70146b615411c1
-
SHA512
77c0cd078ab2d2765237c3cc68a4872a81db653f1ad6a42122b786b27c7d48842577a65e88ad61e549e13b5be0df51e25b5f026089a19833e9da71f8c30c0cdd
-
SSDEEP
6144:0MNHXf500MU8zfjEm0beDmcCl/QOqNgJyCqv7cc:Rd505jwmZmcgSNgJyrv7cc
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
AuroraALPHABUILD.0-6 - Copy (5).exe
-
Size
231.7MB
-
MD5
3cda647a8948f3ac4df14abf6f1d62c1
-
SHA1
f4da28914a3938e7de76546bcf911f539672459a
-
SHA256
c905d2c1b9df641f12daab74948cef579aa92b6f07c36f97ed70146b615411c1
-
SHA512
77c0cd078ab2d2765237c3cc68a4872a81db653f1ad6a42122b786b27c7d48842577a65e88ad61e549e13b5be0df51e25b5f026089a19833e9da71f8c30c0cdd
-
SSDEEP
6144:0MNHXf500MU8zfjEm0beDmcCl/QOqNgJyCqv7cc:Rd505jwmZmcgSNgJyrv7cc
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
AuroraALPHABUILD.0-6 - Copy.exe
-
Size
97.0MB
-
MD5
2b36c87327d49e2509816b80b90deb84
-
SHA1
9bd6b6edd4be18c825ea0c22210b7751849afcf3
-
SHA256
e809d65888127e63049885ba4fb12bcfba0ae6726e13197eb38975b73cd6019c
-
SHA512
f8ed673f8b67e0233ca6d390a244e7dfce1771e70979f231e140e060d8c124de69db77e487fb54baacadca19dd0a51be9a3eff8b1f4dfb36359c1435ab93eee2
-
SSDEEP
6144:0MNHXf500MU8zfjEm0beDmcCl/QOqNgJyCqv7cc:Rd505jwmZmcgSNgJyrv7cc
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
5Scheduled Task
5Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
5Scheduled Task
5