Overview

overview

10

Static

static

10

TrixSMP-2.5.2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TrixSMP-2.5.2.exe

  • Size

    3.2MB

  • Sample

    241106-wxkv7awarp

  • MD5

    9fcc6a986059b5b536e1d9a024d98437

  • SHA1

    362efdff4d397b27465effecd5cc46cc75ba4252

  • SHA256

    a9900a2399e587ed3ff5e60f06d042a5c6b340860f662b8716994d31775b5fe4

  • SHA512

    957c35d730f239e45d6b8080b90a021a14cb9a2e650299c8220233db52e4794839c87955ae0660dd5284f1c2fefa6ef3aa0d848fee13c3c8318d8616c2347936

  • SSDEEP

    49152:KvwG42pda6D+/PjlLOlg6yQipVrchNmzf3oGd+BTHHB72eh2NTVmd:Kvz42pda6D+/PjlLOlZyQipVrchGXmd

Score
10/10
quasarxmrighakaidiscoveryexecutionminermotwphishingspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

hakai

C2

hakai44-57264.portmap.io:57264

hakai44-57264.portmap.io:7000
Mutex

ebb287ed-cec7-4c1a-bd01-c9a44d3e16eb

Attributes
  • encryption_key

    EA64A0D4FF8902AE6D948D3F1F4FE3A6BD4AAB3A

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      TrixSMP-2.5.2.exe

    • Size

      3.2MB

    • MD5

      9fcc6a986059b5b536e1d9a024d98437

    • SHA1

      362efdff4d397b27465effecd5cc46cc75ba4252

    • SHA256

      a9900a2399e587ed3ff5e60f06d042a5c6b340860f662b8716994d31775b5fe4

    • SHA512

      957c35d730f239e45d6b8080b90a021a14cb9a2e650299c8220233db52e4794839c87955ae0660dd5284f1c2fefa6ef3aa0d848fee13c3c8318d8616c2347936

    • SSDEEP

      49152:KvwG42pda6D+/PjlLOlg6yQipVrchNmzf3oGd+BTHHB72eh2NTVmd:Kvz42pda6D+/PjlLOlZyQipVrchGXmd

    Score
    10/10
    quasarxmrighakaidiscoveryexecutionminermotwphishingspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • A potential corporate email address has been identified in the URL: =@L

      phishing

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

      phishingmotw

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks