Overview

overview

10

Static

static

5

Passware K...er.exe

windows7-x64

10

Passware K...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Passware Kit Forensic 2021 Pre-patched retail installer.exe

  • Size

    381.5MB

  • Sample

    241112-2n383awldm

  • MD5

    298faa0669e7d439d1ba4a3d641cc619

  • SHA1

    093f271f3c1b4b6e6b948ee61b01ac2c7c02a0fd

  • SHA256

    344b9876db6b8649b9d65448a715b1923011ea9146e116908eb4d35bd8fa3af6

  • SHA512

    0cca0f0e1f1fae77eba6f438ce53c9542811533d9015a24bebaf4fce4ba936a7642c51f25bec74171e60591f10d8bdf7f76e8e49f27e640209b81bdfcfcbda01

  • SSDEEP

    6291456:hVqIbo0MM0kYOnyEBVToKg+IKiwA4kB88xU+WDyb/B/22aMBb7WDnexkq50NguO2:6Is0XRBV3LR4B8vm/hqMdWLeW00NgBa

Score
10/10
quasardefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationspywaretrojan

Malware Config

Targets

    • Target

      Passware Kit Forensic 2021 Pre-patched retail installer.exe

    • Size

      381.5MB

    • MD5

      298faa0669e7d439d1ba4a3d641cc619

    • SHA1

      093f271f3c1b4b6e6b948ee61b01ac2c7c02a0fd

    • SHA256

      344b9876db6b8649b9d65448a715b1923011ea9146e116908eb4d35bd8fa3af6

    • SHA512

      0cca0f0e1f1fae77eba6f438ce53c9542811533d9015a24bebaf4fce4ba936a7642c51f25bec74171e60591f10d8bdf7f76e8e49f27e640209b81bdfcfcbda01

    • SSDEEP

      6291456:hVqIbo0MM0kYOnyEBVToKg+IKiwA4kB88xU+WDyb/B/22aMBb7WDnexkq50NguO2:6Is0XRBV3LR4B8vm/hqMdWLeW00NgBa

    Score
    10/10
    quasardefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywaretrojanevasion

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Stops running service(s)

      evasionexecution

    • System Binary Proxy Execution: Regsvcs/Regasm

      Abuse Regasm to proxy execution of malicious code.

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Impair Defenses

1
T1562

Modify Registry

1
T1112

System Binary Proxy Execution

1
T1218

Regsvcs/Regasm

1
T1218.009

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks