Overview

overview

10

Static

static

3

4af6214cb0...7c.exe

windows7-x64

10

4af6214cb0...7c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4af6214cb055e4927edac5d42439c77c2c732c9a51b18bed148da55bd1d2387c.exe

  • Size

    6.9MB

  • Sample

    240923-v9fassydlb

  • MD5

    f263c2e28b83166ecbae7640f0096509

  • SHA1

    a3cb462f5954035ca68bc216a99eaa2455766310

  • SHA256

    4af6214cb055e4927edac5d42439c77c2c732c9a51b18bed148da55bd1d2387c

  • SHA512

    da247c568795c2da413d50006247ff817baa3d395f525adcda15868aefa8743aeac37ed38cadb17106c1c19b64dd5683a25c463a59ad1d4573bca18bebbc7f7e

  • SSDEEP

    98304:kAI+TK+yCJIyEAgweZ3BcNHVw9g6Tn/MQNB3g7ri6+Y3gFIjf3OsFyMqPPKn77KI:jtdyCJIXHxcN1HM4kY3gFIhyPX0qxm

Score
10/10
asyncratquasarxworm07pjo24biig2defense_evasiondiscoveryexecutionpersistenceratspywaretrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Family

quasar

Version

1.4.1

Botnet

BIIG2

C2

4mekey1.myftp.biz:4782

Mutex

5c136035-7154-47b7-b78d-a0378c5e03a4

Attributes
  • encryption_key

    5A1721840C7FCFA52998D9F98F97F4B8137E6734

  • install_name

    Windows Server.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    Windows Update

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.desckvbrat.com.br
  • Port:
    21
  • Username:
    desckvbrat1
  • Password:
    developerpro21578Jp@@

Extracted

Family

asyncrat

Version

1.0.7

Botnet

07Pjo24

C2

4mekey1.myftp.biz:8848

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

C2

4Mekey1.myftp.biz:7000

Attributes
  • install_file

    USB.exe

Targets

    • Target

      4af6214cb055e4927edac5d42439c77c2c732c9a51b18bed148da55bd1d2387c.exe

    • Size

      6.9MB

    • MD5

      f263c2e28b83166ecbae7640f0096509

    • SHA1

      a3cb462f5954035ca68bc216a99eaa2455766310

    • SHA256

      4af6214cb055e4927edac5d42439c77c2c732c9a51b18bed148da55bd1d2387c

    • SHA512

      da247c568795c2da413d50006247ff817baa3d395f525adcda15868aefa8743aeac37ed38cadb17106c1c19b64dd5683a25c463a59ad1d4573bca18bebbc7f7e

    • SSDEEP

      98304:kAI+TK+yCJIyEAgweZ3BcNHVw9g6Tn/MQNB3g7ri6+Y3gFIjf3OsFyMqPPKn77KI:jtdyCJIXHxcN1HM4kY3gFIhyPX0qxm

    Score
    10/10
    quasarbiig2discoveryexecutionpersistencespywaretrojanasyncratxworm07pjo24defense_evasionrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks