Overview

overview

10

Static

static

3

dd521a9308...8f.exe

windows7-x64

10

dd521a9308...8f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe

  • Size

    27.1MB

  • Sample

    240924-gsxa4axdph

  • MD5

    1b3c6e3b3ab3641e0001874a99472682

  • SHA1

    d0cd60a4bcc664f25d06bb678f0aa124d2b8fcf3

  • SHA256

    dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f

  • SHA512

    fac14eb191f7cca9edb2d6ef9d9c576eceaa32d6086ed54d7d816495f259f815b58b5dffc4a4914d0872fd99cdfdaabf08d72039fc4d27572330c6ef3c70532d

  • SSDEEP

    786432:tUpZvYGW0XpRFuSd3T+FhP8I+gqcSorasy6nMk6DNk:ypFY8pRF4ticfb

Score
10/10
asyncratquasarxworm07pjo24biig2defense_evasiondiscoveryexecutionpersistenceratspywaretrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Family

quasar

Version

1.4.1

Botnet

BIIG2

C2

4mekey1.myftp.biz:4782

Mutex

5c136035-7154-47b7-b78d-a0378c5e03a4

Attributes
  • encryption_key

    5A1721840C7FCFA52998D9F98F97F4B8137E6734

  • install_name

    Windows Server.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    Windows Update

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.desckvbrat.com.br
  • Port:
    21
  • Username:
    desckvbrat1
  • Password:
    developerpro21578Jp@@

Extracted

Family

asyncrat

Version

1.0.7

Botnet

07Pjo24

C2

4mekey1.myftp.biz:8848

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

C2

4Mekey1.myftp.biz:7000

Attributes
  • install_file

    USB.exe

Targets

    • Target

      dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe

    • Size

      27.1MB

    • MD5

      1b3c6e3b3ab3641e0001874a99472682

    • SHA1

      d0cd60a4bcc664f25d06bb678f0aa124d2b8fcf3

    • SHA256

      dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f

    • SHA512

      fac14eb191f7cca9edb2d6ef9d9c576eceaa32d6086ed54d7d816495f259f815b58b5dffc4a4914d0872fd99cdfdaabf08d72039fc4d27572330c6ef3c70532d

    • SSDEEP

      786432:tUpZvYGW0XpRFuSd3T+FhP8I+gqcSorasy6nMk6DNk:ypFY8pRF4ticfb

    Score
    10/10
    quasarbiig2discoveryexecutionpersistencespywaretrojanasyncratxworm07pjo24defense_evasionrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks