Overview

overview

10

Static

static

10

Adobe Down...er.exe

windows7-x64

10

Adobe Down...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    6s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-09-2024 17:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Adobe Download Manager.exe

  • Size

    2.0MB

  • MD5

    8df3728208c92aa58eb4fee95a0037ce

  • SHA1

    82e005dd61495c6bca6367061433a13188feeb8f

  • SHA256

    49287ec7fd145b3a0a5882dfed43529847f1ca2fab1ef771a96e4a6720f8d9db

  • SHA512

    46ee5bcdeae7c3ef54d38e10d002cae677c8e0d10d8e6e79efa4d3bb2f9fd26b5a8158009912ed2f7d8c4fd0a0120b3f88d43fd8831fceea9a5a1582d810abee

  • SSDEEP

    24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYS:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yk

Score
10/10
azorultquasarebayprofilesdiscoveryinfostealerspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

C2

5.8.88.191:443

sockartek.icu:443
Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes
  • encryption_key

    MWhG6wsClMX8aJM2CVXT

  • install_name

    winsock.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    win defender run

  • subdirectory

    SubDir

Extracted

Family

azorult

C2

http://0x21.in:8000/_az/

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Quasar RAT 3 IoCs

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe
    "C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"
    1⤵
    • Quasar RAT
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4696
    • C:\Users\Admin\AppData\Local\Temp\vnc.exe
      "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k
        3⤵
          PID:3352
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 556
          3⤵
          • Program crash
          PID:960
      • C:\Users\Admin\AppData\Local\Temp\windef.exe
        "C:\Users\Admin\AppData\Local\Temp\windef.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1512
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:3900
        • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
          3⤵
            PID:1004
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:704
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b0gdSIlzeJlx.bat" "
              4⤵
                PID:2020
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  5⤵
                    PID:3740
                  • C:\Windows\SysWOW64\PING.EXE
                    ping -n 10 localhost
                    5⤵
                    • System Network Configuration Discovery: Internet Connection Discovery
                    • Runs ping.exe
                    PID:1732
                  • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
                    "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
                    5⤵
                      PID:4872
                      • C:\Windows\SysWOW64\schtasks.exe
                        "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
                        6⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:4816
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\exmE9mkk66WZ.bat" "
                        6⤵
                          PID:2928
                          • C:\Windows\SysWOW64\chcp.com
                            chcp 65001
                            7⤵
                              PID:4748
                            • C:\Windows\SysWOW64\PING.EXE
                              ping -n 10 localhost
                              7⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:4036
                            • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
                              7⤵
                                PID:4680
                                • C:\Windows\SysWOW64\schtasks.exe
                                  "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
                                  8⤵
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1600
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 2220
                              6⤵
                              • Program crash
                              PID:3900
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 2256
                          4⤵
                          • Program crash
                          PID:808
                    • C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe
                      "C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:4516
                    • C:\Windows\SysWOW64\schtasks.exe
                      "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
                      2⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:700
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3704 -ip 3704
                    1⤵
                      PID:4336
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1004 -ip 1004
                      1⤵
                        PID:1252
                      • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                        C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                        1⤵
                          PID:1404
                          • C:\Users\Admin\AppData\Local\Temp\vnc.exe
                            "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
                            2⤵
                              PID:872
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k
                                3⤵
                                  PID:1556
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 528
                                  3⤵
                                  • Program crash
                                  PID:4640
                              • C:\Users\Admin\AppData\Local\Temp\windef.exe
                                "C:\Users\Admin\AppData\Local\Temp\windef.exe"
                                2⤵
                                  PID:4756
                                • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                                  "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
                                  2⤵
                                    PID:4424
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
                                    2⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1888
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 872 -ip 872
                                  1⤵
                                    PID:2420
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4872 -ip 4872
                                    1⤵
                                      PID:4332
                                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                      1⤵
                                        PID:5020
                                      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                        "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                        1⤵
                                          PID:5024
                                        • C:\Windows\system32\sihost.exe
                                          sihost.exe
                                          1⤵
                                            PID:4936
                                            • C:\Windows\explorer.exe
                                              explorer.exe /LOADSAVEDWINDOWS
                                              2⤵
                                                PID:5004

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log
                                              Filesize

                                              1KB

                                              MD5

                                              10eab9c2684febb5327b6976f2047587

                                              SHA1

                                              a12ed54146a7f5c4c580416aecb899549712449e

                                              SHA256

                                              f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

                                              SHA512

                                              7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\b0gdSIlzeJlx.bat
                                              Filesize

                                              208B

                                              MD5

                                              c5eb90c3bdf8257b2e59de8f1b0d6125

                                              SHA1

                                              18ce2b5e0ecc6cb253a34756c011e7c0f8541c60

                                              SHA256

                                              23244bd69738f5f043681841066511fce066e8f915666471903ab5659d7d9dd4

                                              SHA512

                                              98436d7d6360e6fe757a4420c3314e7141383176f7b5ba541a3b5c2ff8985c389db966d373de4f5d3a8628715ea54d2d3783c6e99c487c9f112822119e5cdfc6

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\exmE9mkk66WZ.bat
                                              Filesize

                                              208B

                                              MD5

                                              0198c443d1813cc999bd70308a6ad1c2

                                              SHA1

                                              563148c7170a66a11fb260d16d385d0309b75acd

                                              SHA256

                                              4322cef75aa4132ff9857fbdc54ccc774ae3e8a2a375f1de1e88bb119b05a1fc

                                              SHA512

                                              b166a45b54b2b5b41fd38754db180d340b284119f89b585b6e2e4efc4400b10bd1079e9a0c375bfd7874694c2898231b12daa1fa0f5e9f259239ce0feb6db8ea

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\vnc.exe
                                              Filesize

                                              405KB

                                              MD5

                                              b8ba87ee4c3fc085a2fed0d839aadce1

                                              SHA1

                                              b3a2e3256406330e8b1779199bb2b9865122d766

                                              SHA256

                                              4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

                                              SHA512

                                              7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\windef.exe
                                              Filesize

                                              349KB

                                              MD5

                                              b4a202e03d4135484d0e730173abcc72

                                              SHA1

                                              01b30014545ea526c15a60931d676f9392ea0c70

                                              SHA256

                                              7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

                                              SHA512

                                              632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Logs\09-16-2024
                                              Filesize

                                              224B

                                              MD5

                                              64efdc30a1c7f5a9b8b754d3dfa55ac2

                                              SHA1

                                              43414400b53fc4855e0586d51f96d88b0dcff9f0

                                              SHA256

                                              85f851403d75e2fe1195d5f80e4f693ef50b9e9f1b5818ff593ee04995c91fac

                                              SHA512

                                              198686668d9db05030fac4dfc760b9fcbf7a7e3cc17e4c3e99670b3fd735bab7e2c950f058306ed10bb90f0d285fbfc42b262c0565173dcdde870380984e24e3

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Logs\09-16-2024
                                              Filesize

                                              224B

                                              MD5

                                              490851f571326cef0caa9231a44f8ebf

                                              SHA1

                                              753e4b22c85734fb96b107045c2691f24a23b7c8

                                              SHA256

                                              04b0917318fef0a312d41429c902c22f5c641d4423065b477258886431512444

                                              SHA512

                                              825d34293e2479b17e40d97731249246c7eaf52a3be3cb4ea8f6e7bbfe98e1f2513d40c1c4fa269eb58ba6d4ceb7b198d15597d7c22607af1854d6773b7cffef

                                              Download Submit

                                            • C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
                                              Filesize

                                              2.0MB

                                              MD5

                                              51b9f048c420a756868046d124dfbf45

                                              SHA1

                                              d43921c95d49ce973888dd6afd877adc5f59a2ea

                                              SHA256

                                              4a01ba61a25025053267d42c6ffafc58966ceb5d093c07a7aca79b99a2b9774c

                                              SHA512

                                              a53748d7cac4dc8a41eb2c5ee06b714b5cd44cd64728a385af55762a4a7df2db7f944ed6d9dc5bcebdb2506bd3e221f859171e17509b5ce2c946f9832ceab4fe

                                              Download Submit

                                            • memory/1004-45-0x00000000064D0000-0x00000000064DA000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/1512-34-0x00000000059A0000-0x0000000005A32000-memory.dmp

                                              Filesize

                                              584KB

                                              Download

                                            • memory/1512-36-0x0000000005EC0000-0x0000000005ED2000-memory.dmp

                                              Filesize

                                              72KB

                                              Download

                                            • memory/1512-37-0x0000000006AC0000-0x0000000006AFC000-memory.dmp

                                              Filesize

                                              240KB

                                              Download

                                            • memory/1512-35-0x0000000005890000-0x00000000058F6000-memory.dmp

                                              Filesize

                                              408KB

                                              Download

                                            • memory/1512-33-0x0000000005F50000-0x00000000064F4000-memory.dmp

                                              Filesize

                                              5.6MB

                                              Download

                                            • memory/1512-32-0x0000000000F40000-0x0000000000F9E000-memory.dmp

                                              Filesize

                                              376KB

                                              Download

                                            • memory/1512-29-0x0000000072ABE000-0x0000000072ABF000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/4516-28-0x0000000000400000-0x0000000000420000-memory.dmp

                                              Filesize

                                              128KB

                                              Download

                                            • memory/4516-20-0x0000000000400000-0x0000000000420000-memory.dmp

                                              Filesize

                                              128KB

                                              Download

                                            • memory/4696-19-0x0000000003D40000-0x0000000003D41000-memory.dmp

                                              Filesize

                                              4KB

                                              Download