Overview

overview

10

Static

static

10

Obekräfta...98.zip

windows10-ltsc 2021-x64

10

X-Worm-V5-....0.exe

windows10-ltsc 2021-x64

7

X-Worm-V5-...er.exe

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Obekräftade 432398.crdownload

  • Size

    38.2MB

  • Sample

    241204-lw48bsska1

  • MD5

    43ec213ae2f483ad0571615217a015f5

  • SHA1

    3249d4183d62599ee7352261af8c9f9fbfc41cab

  • SHA256

    61bad8d96f17bc5e303a42e6fb63aa90dacec97a90aa2bf7bfebdee5d7f969eb

  • SHA512

    e590d60c4ea504816c611f0417d72622fec2e8a496da2b61e31911e6bed82f5765501907e806b35dd4b28d7c759d9b8294cb462a84997bb8e984a7acd866350f

  • SSDEEP

    786432:jyIjkDNnx2+2NYTb4opWJ2E0R53QVnGajZAS/VNEEgrWpngLHYdXyXJW:TkDNnxV2iTb4mVE0RpsgUNBC+oSO8

Score
10/10
quasarv3.0.0 | slaveagilenetdefense_evasiondiscoveryexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v3.0.0 | Slave

C2

147.185.221.17:25792

Mutex

92d55a7d-fa9d-4687-a639-1c17ad82e127

Attributes
  • encryption_key

    AAADD171AFB4583A86B8E61A97433E10C4015A71

  • install_name

    .exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    3000

Targets

    • Target

      Obekräftade 432398.crdownload

    • Size

      38.2MB

    • MD5

      43ec213ae2f483ad0571615217a015f5

    • SHA1

      3249d4183d62599ee7352261af8c9f9fbfc41cab

    • SHA256

      61bad8d96f17bc5e303a42e6fb63aa90dacec97a90aa2bf7bfebdee5d7f969eb

    • SHA512

      e590d60c4ea504816c611f0417d72622fec2e8a496da2b61e31911e6bed82f5765501907e806b35dd4b28d7c759d9b8294cb462a84997bb8e984a7acd866350f

    • SSDEEP

      786432:jyIjkDNnx2+2NYTb4opWJ2E0R53QVnGajZAS/VNEEgrWpngLHYdXyXJW:TkDNnxV2iTb4mVE0RpsgUNBC+oSO8

    Score
    10/10
    quasarv3.0.0 | slaveagilenetdefense_evasiondiscoveryexecutionspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

      defense_evasion

    • Drops file in System32 directory

    behavioral1

    • Target

      X-Worm-V5-main/XWorm V5.0/XWorm V5.0.exe

    • Size

      10.4MB

    • MD5

      227494b22a4ee99f48a269c362fd5f19

    • SHA1

      d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9

    • SHA256

      7471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2

    • SHA512

      71070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0

    • SSDEEP

      196608:z59nhcOWSxxgQHl2np1eY5J5itQaZWtU8i/MJ:zRRWQBQnpji1W+8i/

    Score
    7/10
    agilenet

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet
    behavioral2

    • Target

      X-Worm-V5-main/XWorm V5.0/XWormLoader.exe

    • Size

      8.6MB

    • MD5

      2aff4d1edefd1017408f77bbf15ef6c2

    • SHA1

      cfc1827c2e45802cbfe931ab66dea427c512a6ab

    • SHA256

      7de8a4b7288fe71fdb8fa2eb453059937ce5ff998e117dc79c8d68de7e0f9315

    • SHA512

      a456dba519592187461596f0ceb1e008e0a9a974a79698acda5bb1cfe000b99fd1bcafe140a022a40db6b447cb70e335dba137500a4f05e68299a3da758f9756

    • SSDEEP

      196608:6HwveWmitDQXAWhg8tlFPreKofxWJHVP3u8CkXt0rQMJB4Eo:IkmitD85hgAtop81Hh0sUBk

    Score
    10/10
    quasarv3.0.0 | slavedefense_evasiondiscoveryexecutionspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

      defense_evasion

    • Drops file in System32 directory

    behavioral3

MITRE ATT&CK Enterprise v15

Tasks