Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    01-11-2024 19:15

General

  • Target

    VaporWaveX2.1/VaporWave2-1.exe

  • Size

    72.5MB

  • MD5

    af85b5d9c237ea75d4a307d5157c847f

  • SHA1

    84ad14e5d89bd85f0ef1bb5f3269c0d6929c6a53

  • SHA256

    3e7fe3f421b50a884cc30ac892a739e895f4243ed554183deebc7415593ee2d2

  • SHA512

    bf2e7414f1e00d69aaf3dab61a938c3051f429b712d8dcccd3f7a7a32226d42dc66477c1fac7cbb67a326dd05b33de7afbc176ce4280405ac69e2e8dcbdabca3

  • SSDEEP

    6144:UI6bPXhLApfpo8CL1g1N1ZflpUwGbeCqgHcFi9vNnoGjlhjl7k4:lmhAp5CL1g1N1ZfXxpi9vhHl1l7k4

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

general1

C2

servicehos.zapto.org:4444

Mutex

QSR_MUTEX_ksxWAP4ziOqMlreofU

Attributes
  • encryption_key

    i9HUVkY4QNExDOHIMtIX

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VaporWaveX2.1\VaporWave2-1.exe
    "C:\Users\Admin\AppData\Local\Temp\VaporWaveX2.1\VaporWave2-1.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\VaporWaveX2.1\VaporWave2-1.exe" /rl HIGHEST /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2456
    • C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2244
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /delete /tn "svchost" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2624
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8rzX5rJdA8bI.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1552
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:688
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8rzX5rJdA8bI.bat

    Filesize

    263B

    MD5

    3b131a9a7d8f3778836dc44e58e04f13

    SHA1

    f282199650901f19baf5472d3b9a7005156ce420

    SHA256

    1dc33e29f7a4a17c60b324f51fca129319c26d95de0a7cc2c1235c47083ca3a4

    SHA512

    27c0b59df8199da3d2ce044d5e0072910c320d0d3593997e915d94936ae0e85f58184a0eb02032a260d3815cd2e7c5be76e17f5fd4f02c3cef3bb262691fc2b5

  • C:\Users\Admin\AppData\Roaming\Logs\11-01-~1

    Filesize

    224B

    MD5

    895ff633adbfc7236b5cfab8fc99d4b2

    SHA1

    b80848d972413b9d693e3f163952865bd404b02b

    SHA256

    3c4eeb4ff4e77d54a65dea18a40be7f72fd3af48134067a06bdd94725885dce0

    SHA512

    3a604ca38587af7c167fc4f7143456887bdadcf56e64bbf86cfe4e4ae1aaaad29d0c9e7dfc589b771e9e78acf6c412f71f86925524835530222d13dcb521ab55

  • memory/2068-10-0x0000000001220000-0x000000000127E000-memory.dmp

    Filesize

    376KB

  • memory/2068-11-0x0000000074540000-0x0000000074C2E000-memory.dmp

    Filesize

    6.9MB

  • memory/2068-12-0x0000000074540000-0x0000000074C2E000-memory.dmp

    Filesize

    6.9MB

  • memory/2068-15-0x0000000074540000-0x0000000074C2E000-memory.dmp

    Filesize

    6.9MB

  • memory/2068-25-0x0000000074540000-0x0000000074C2E000-memory.dmp

    Filesize

    6.9MB

  • memory/2984-0-0x000000007454E000-0x000000007454F000-memory.dmp

    Filesize

    4KB

  • memory/2984-1-0x00000000002A0000-0x00000000002FE000-memory.dmp

    Filesize

    376KB

  • memory/2984-2-0x0000000074540000-0x0000000074C2E000-memory.dmp

    Filesize

    6.9MB

  • memory/2984-13-0x0000000074540000-0x0000000074C2E000-memory.dmp

    Filesize

    6.9MB