Resubmissions

28-11-2024 05:26

241128-f5dh3stlbl 10

28-11-2024 05:24

241128-f317cstkfp 10

27-09-2024 19:50

240927-ykppqayfma 10

20-08-2024 17:46

240820-wcsqasyhjm 10

11-12-2023 06:01

231211-gq31vsgbh3 10

General

  • Target

    SeroXen_Cracked-main.zip

  • Size

    8.2MB

  • Sample

    240927-ykppqayfma

  • MD5

    be2e38fdf09445fcc563380b34456834

  • SHA1

    9576198da00fbfd930f2f9700759e290b793e3c6

  • SHA256

    deadf947dc6be85497b30473dcd6ab9a711b2e0a02df847c25f8fd15589a9c8b

  • SHA512

    96bcaafcda5bafe1fc9f6db1eb914517f77c4ddf4767689f21ad0910869005e32ba071e0c682d12b7dd4dfff0ae26a0eaa85236aaf9805b4db7050a93af18c0b

  • SSDEEP

    196608:Fi1/tl0L6Tt768UDVRNvlzZVUuphoFPgEHB4+7SUTAsI1SMLhs:UVl0Y1686NvpWFSKLI1Ps

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v2.2.5 | SeroXen

C2

kimsoylak.ddns.net:4782

Mutex

2cc9d61f-950d-4f23-b7d5-45d9dda2f256

Attributes
  • encryption_key

    F467D794B2E1081B6AD1EAD5813AFA74F053248D

  • install_name

    .exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    1

Targets

    • Target

      SeroXen_Cracked-main.zip

    • Size

      8.2MB

    • MD5

      be2e38fdf09445fcc563380b34456834

    • SHA1

      9576198da00fbfd930f2f9700759e290b793e3c6

    • SHA256

      deadf947dc6be85497b30473dcd6ab9a711b2e0a02df847c25f8fd15589a9c8b

    • SHA512

      96bcaafcda5bafe1fc9f6db1eb914517f77c4ddf4767689f21ad0910869005e32ba071e0c682d12b7dd4dfff0ae26a0eaa85236aaf9805b4db7050a93af18c0b

    • SSDEEP

      196608:Fi1/tl0L6Tt768UDVRNvlzZVUuphoFPgEHB4+7SUTAsI1SMLhs:UVl0Y1686NvpWFSKLI1Ps

    Score
    1/10
    • Target

      SeroXen_Cracked-main/SeroXen Crack.rar

    • Size

      8.2MB

    • MD5

      a28bbc6271992ffc4dbd706fca6034fe

    • SHA1

      6a8f5bbce1d17fd37f7dfb59fffa1c16c3fccd17

    • SHA256

      306d942083d3df861ab01b8ea413c8059df0e9ef95b73ed0dddfc8be5a8567e7

    • SHA512

      22298e426eed578fa73585461033e3d1a597f7e93640d033e3d03d449974c4f25a70da463c0c69698faa1d546d4e75cb13312ac17c0d9ae51c69e32a0d20c213

    • SSDEEP

      196608:Hi1/tl0L6Tt768UDVRNvlzZVUuphoFPgEHB4+7SUTAsI1SMLhR:aVl0Y1686NvpWFSKLI1PR

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Target

      SeroXen Crack/SeroXen-install.bat

    • Size

      12.6MB

    • MD5

      898f49c739026123b6a3811fa31abe70

    • SHA1

      31ff6036b40d70d21cb1c4c0163cba0d4c720551

    • SHA256

      78b0a14a882dec287c0dc5a294ad02a4a5aaa0d130839d49f282c7d61069471f

    • SHA512

      a9aa2bf15db84361f315156ee6386cac49c14c2449a72e2f50b2e0b8d100781019c246c03a38a37d5dfc71a7c1c5451457faba074d1a875cab615ecb8d3e453d

    • SSDEEP

      49152:sW7ldCjqzV0qZpSjVbHDGYxqXTQPJee/X5nerh1gnfFijx6ygGSPlPNEIKlfuK1u:i

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes itself

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks