General
-
Target
sigmasoft3.exe
-
Size
15.6MB
-
Sample
241110-skhzaasmfp
-
MD5
062376a7456904b683c2a9c862beacb3
-
SHA1
d475f177f6e85c9fb7cde1d4b5b7e793f6768d1f
-
SHA256
5edd8c757e0ae3da04b5c3966457e168027b44d20aeeda2a38e9d097c68a2afd
-
SHA512
0b5e207af9bdebe439fba7668da43376d9e5a883c0084eaa2376458cccf4d9b23b6af16b48fcbe90eb6b3e7ca1f0df517fd0da1e0ac78add748a8eaead659233
-
SSDEEP
393216:tZZBDmZ18TyLDEaBRput5NtMjy/yfK63vJZp:TZBbTNOpAGjy/WLbp
Malware Config
Extracted
quasar
1.4.1
Office04
gorodpro-37914.portmap.host:37914
1c5ec883-e96d-4a3a-9035-7a940d47aeb7
-
encryption_key
99E87F88E9E967A51725453CB8223ADDB8256DE2
-
install_name
WindowsDefender.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender
-
subdirectory
WindowsDefender
Targets
-
-
Target
sigmasoft3.exe
-
Size
15.6MB
-
MD5
062376a7456904b683c2a9c862beacb3
-
SHA1
d475f177f6e85c9fb7cde1d4b5b7e793f6768d1f
-
SHA256
5edd8c757e0ae3da04b5c3966457e168027b44d20aeeda2a38e9d097c68a2afd
-
SHA512
0b5e207af9bdebe439fba7668da43376d9e5a883c0084eaa2376458cccf4d9b23b6af16b48fcbe90eb6b3e7ca1f0df517fd0da1e0ac78add748a8eaead659233
-
SSDEEP
393216:tZZBDmZ18TyLDEaBRput5NtMjy/yfK63vJZp:TZBbTNOpAGjy/WLbp
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Creates new service(s)
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3