General
-
Target
https://152.89.239.119
-
Sample
241002-hr918ssgnn
Malware Config
Extracted
http://152.89.239.119/ngrok.yml
Extracted
http://152.89.239.119/111.jpg
Extracted
http://152.89.239.119/222.jpg
Extracted
http://152.89.239.119/x.jpg
Extracted
http://152.89.239.119/WindowsUpdate.jpg
Extracted
http://152.89.239.119/ngrok.zip
Extracted
http://152.89.239.119/auto-install-hrdp.bat
Extracted
http://152.89.239.119/hrdp/hrdp.zip
Extracted
http://152.89.239.119/hrdp/update.zip
Extracted
http://152.89.239.119/hrdp/autoupdate.zip
Extracted
njrat
0.7d
حوالات
*jYyNjI2LmRkbn*ubmV0:5552
4e0c23218aae421528d2445f98e0e933
-
reg_key
4e0c23218aae421528d2445f98e0e933
-
splitter
|'|'|
Extracted
quasar
1.4.0.0
srlhost
262626.ddns.net:5551
45.61.151.50:5551
qVw3t6gtOwrpZYozK1
-
encryption_key
QfzNbeLbOitDzJWlP0jo
-
install_name
spoolar.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
spooler
-
subdirectory
printer
Targets
-
-
Target
https://152.89.239.119
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
UAC bypass
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Server Software Component: Terminal Services DLL
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
Drops file in System32 directory
-
Hide Artifacts: Hidden Users
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
3Hidden Files and Directories
2Hidden Users
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Indicator Removal
1File Deletion
1Modify Registry
5Discovery
Browser Information Discovery
1Permission Groups Discovery
1Local Groups
1Query Registry
3Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1