Overview

overview

10

Static

static

5

Heart-Send...ig.bat

windows7-x64

10

Heart-Send...ig.bat

windows10-2004-x64

10

Heart-Send...ck.dll

windows7-x64

1

Heart-Send...ck.dll

windows10-2004-x64

1

Heart-Send...ad.exe

windows7-x64

3

Heart-Send...ad.exe

windows10-2004-x64

3

Heart-Send...er.exe

windows7-x64

10

Heart-Send...er.exe

windows10-2004-x64

10

Heart-Send...r1.exe

windows7-x64

10

Heart-Send...r1.exe

windows10-2004-x64

10

Heart-Send...ye.exe

windows7-x64

10

Heart-Send...ye.exe

windows10-2004-x64

10

Heart-Send...ck.dll

windows7-x64

1

Heart-Send...ck.dll

windows10-2004-x64

1

Heart-Send...ad.exe

windows7-x64

3

Heart-Send...ad.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d89a2246c6db2ec558bce3f1b3ca0cf32eb7dd9905b1ff30f802732434254c93

  • Size

    1.4MB

  • Sample

    241107-prb8jasdjc

  • MD5

    d969c15fe9871ad9e6398e5718512a04

  • SHA1

    1026dbc685f152d4e5a2307d88fc13a3a8750aae

  • SHA256

    d89a2246c6db2ec558bce3f1b3ca0cf32eb7dd9905b1ff30f802732434254c93

  • SHA512

    436dc836d3806061dedd989ada2e0c4458404a5c1a7221c7cd56051c06ac66aa0ba20ef3bace452ef480aa37eedaad42ae1d7ba31d16ba4dc075902e5b5f456e

  • SSDEEP

    24576:DVsvL5wtueF8TzBz9RXcvwP1vzBADIQ3PQRvNQAPjPPFIO9ITBI1A7:Dseqf1AwP1rCQRPPjPPt9ITBIW

Score
10/10
floxifnjratquasarhackedtestheartbackdoordiscoveryevasionexecutionpersistenceprivilege_escalationspywaretrojanupx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Heart

C2

185.163.127.20:61110

Mutex

HRT_MUTEX_kecTsVDPnERdvianlr

Attributes
  • encryption_key

    3vnM9JqtaSdxUVqeTXSi

  • install_name

    Subfile.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDirr

Extracted

Family

njrat

Version

0.7d

Botnet

HacKedTEST

C2

chipo.publicvm.com:1177

Mutex

4c71585ab01a8f1344352fb1f26b00fd

Attributes
  • reg_key

    4c71585ab01a8f1344352fb1f26b00fd

  • splitter

    |'|'|

Targets

    • Target

      Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Config.bat

    • Size

      580B

    • MD5

      028f22a9de1e96042ba3c22231565d7f

    • SHA1

      644f9c79a0338fd1073b66fcf5a96851c0c06ad6

    • SHA256

      cae2e9ddb120b89bb863815fbee0eeb597f576ec442242a87795244d2c2c8042

    • SHA512

      711a649a2e906c31997fe3d1f9f6fffa3bdd36118c9e11a0fd8acc7b662656d9c63db7f7e8a6c64240b78cbdc22594d1863042911057f539dadebb05c03c9d8b

    Score
    10/10
    floxifquasarheartbackdoordiscoveryexecutionpersistenceprivilege_escalationspywaretrojanupx

    • Floxif family

      floxif

    • Floxif, Floodfix

      Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

      backdoortrojanfloxif

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Detects Floxif payload

      backdoor

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Heart/HtmlAgilityPack.dll

    • Size

      123KB

    • MD5

      97458fb37fcbea19b16704474e0bb747

    • SHA1

      d846a58c2dfa287dc070a3b3eaa12de54aefc5f4

    • SHA256

      eb6841497cafab1aac432b09f4979997fa3314d4828be15cdbd37f621ba38eac

    • SHA512

      7edeaadae25c60acf5fa969655ad667826dbec8025a09bd14933d81c3fddf2e6409c2f60345da2420d63c70b3b4985f8e33913fe09af5cb4695b28b2ba561f3d

    • SSDEEP

      3072:BXpTk1Pla+8e/vc/XM+MWWftfT5757XFl/gySY0SVqF:bk1tOoYD0

    Score
    1/10
    behavioral3behavioral4

    • Target

      Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Heart/Load.exe

    • Size

      226KB

    • MD5

      9c7691ff597e9efd7f796b31accb78e8

    • SHA1

      81bb289aa37d182b60e86990376a375de7a8decc

    • SHA256

      1624af752c9f85fd117fafb28feb42a079f283dc133cdcc5799810072a95a6cb

    • SHA512

      739f187aaeda13b7ebef3918a965b8da4ee939cd3e60d36802768f52be7b08f5964b121d1e977f4c408ff8ae6aba02df4a4d37785735c2f70d8610551cbab135

    • SSDEEP

      3072:bo98cfXJyH8Rpf1RAshsapucG/6I2VI6whmHAsEye7Zm8TPRQfSFEq8o:b2ZycrfbARZ0AsEye7Zm8TPXFb8

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Loader.exe

    • Size

      292KB

    • MD5

      f0aa6235c34fb2c5af7bfa214ddfea07

    • SHA1

      83265dfd7fc52cfe57d6ba12774aed62af731746

    • SHA256

      e9780f257098c6503bf1c5a3715f27409c5015efe67060edb858c8bb54f876b3

    • SHA512

      32af8d069f9d3cac141f8cdc5ad21eb29cddaf7c498eda4e68790c9bbaefb3d517eee6025824b758a4967f2d07ab4195da5ff9cf74145b72b163b0c3cc8e93c3

    • SSDEEP

      6144:a4JQmNOIDgZ1QoSAtesA137gdDbvY7s50T2gQBCBV+UdvrEFp7hK8:akQ6OIcLQoSAtOBkdDr7mBjvrEH77

    Score
    10/10
    floxifbackdoordiscoverypersistenceprivilege_escalationtrojanupx

    • Floxif family

      floxif

    • Floxif, Floodfix

      Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

      backdoortrojanfloxif

    • Detects Floxif payload

      backdoor

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral7behavioral8

    • Target

      Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Loader1.exe

    • Size

      147KB

    • MD5

      0a020a0a5f365ca997abb2c1c7ceb6d6

    • SHA1

      c3d7efdd2c2156729bf4ac905edb95f7b2ac8ae8

    • SHA256

      e0ec77a3548c4e55bc655b6754e8205bc09dd444e94886d3906e45fdff59ac02

    • SHA512

      98c85a19bc692603264bd2b408f40b92a0942ba5850f790a83a7a3c1467b1ea6a0922db6c7613cc14e248c43cbdb3dd098e6bef9f86a0eeca9ecccafb1667943

    • SSDEEP

      3072:e9JQm3OcOIxDJLgZ1Qout6Da2lQBV+UdE+rECWp7hKy:e9JQmNOIDgZ1QoSAgBV+UdvrEFp7hKy

    Score
    10/10
    floxifbackdoordiscoverytrojanupxpersistenceprivilege_escalation

    • Floxif family

      floxif

    • Floxif, Floodfix

      Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

      backdoortrojanfloxif

    • Detects Floxif payload

      backdoor

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral10behavioral9

    • Target

      Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe

    • Size

      1.1MB

    • MD5

      3ab47d7d723c1661807084d39d4b7744

    • SHA1

      a8790ce365a8e62d3f38fe2b6fae36b34f7a5a18

    • SHA256

      05ecfbb70aa1785e6c8aad3c7da653a797aba2193b7ef136d68e50e23315fbe2

    • SHA512

      667c794cbd3bec294a5b6321ec25624a2dc4c44da240ddba7759dceeaca303a34891be85a09bece13bfb8763bfcd6041d08d55e723c2f846a0938bf196cb7d84

    • SSDEEP

      24576:xavtvLkLL9IMixoEgeaUOR5UZtqOYq9MmCSSrEH7px:xkjkn9IMHeaU/Z+aPCSbx

    Score
    10/10
    floxifnjratquasarhackedtestheartbackdoordiscoveryevasionexecutionpersistenceprivilege_escalationspywaretrojanupx

    • Floxif family

      floxif

    • Floxif, Floodfix

      Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

      backdoortrojanfloxif

    • Njrat family

      njrat

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Detects Floxif payload

      backdoor

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Modifies Windows Firewall

      evasion

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral11behavioral12

    • Target

      Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/HtmlAgilityPack.dll

    • Size

      123KB

    • MD5

      97458fb37fcbea19b16704474e0bb747

    • SHA1

      d846a58c2dfa287dc070a3b3eaa12de54aefc5f4

    • SHA256

      eb6841497cafab1aac432b09f4979997fa3314d4828be15cdbd37f621ba38eac

    • SHA512

      7edeaadae25c60acf5fa969655ad667826dbec8025a09bd14933d81c3fddf2e6409c2f60345da2420d63c70b3b4985f8e33913fe09af5cb4695b28b2ba561f3d

    • SSDEEP

      3072:BXpTk1Pla+8e/vc/XM+MWWftfT5757XFl/gySY0SVqF:bk1tOoYD0

    Score
    1/10
    behavioral13behavioral14

    • Target

      Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Load.exe

    • Size

      226KB

    • MD5

      9c7691ff597e9efd7f796b31accb78e8

    • SHA1

      81bb289aa37d182b60e86990376a375de7a8decc

    • SHA256

      1624af752c9f85fd117fafb28feb42a079f283dc133cdcc5799810072a95a6cb

    • SHA512

      739f187aaeda13b7ebef3918a965b8da4ee939cd3e60d36802768f52be7b08f5964b121d1e977f4c408ff8ae6aba02df4a4d37785735c2f70d8610551cbab135

    • SSDEEP

      3072:bo98cfXJyH8Rpf1RAshsapucG/6I2VI6whmHAsEye7Zm8TPRQfSFEq8o:b2ZycrfbARZ0AsEye7Zm8TPXFb8

    Score
    3/10
    discovery
    behavioral15behavioral16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

AppInit DLLs

1
T1546.010

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

AppInit DLLs

1
T1546.010

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

upx
Score
5/10

behavioral1

floxifquasarheartbackdoordiscoveryexecutionpersistenceprivilege_escalationspywaretrojanupx
Score
10/10

behavioral2

floxifquasarheartbackdoordiscoveryexecutionpersistenceprivilege_escalationspywaretrojanupx
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

floxifbackdoordiscoverypersistenceprivilege_escalationtrojanupx
Score
10/10

behavioral8

floxifbackdoordiscoverytrojanupx
Score
10/10

behavioral9

floxifbackdoordiscoverypersistenceprivilege_escalationtrojanupx
Score
10/10

behavioral10

floxifbackdoordiscoverytrojanupx
Score
10/10

behavioral11

floxifnjratquasarhackedtestheartbackdoordiscoveryevasionexecutionpersistenceprivilege_escalationspywaretrojanupx
Score
10/10

behavioral12

floxifnjratquasarhackedtestheartbackdoordiscoveryevasionexecutionpersistenceprivilege_escalationspywaretrojanupx
Score
10/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10