Overview

overview

10

Static

static

3

Dox Tool V...ed.exe

windows7-x64

10

Dox Tool V...ed.exe

windows10-2004-x64

10

Dox Tool V...on.dll

windows7-x64

1

Dox Tool V...on.dll

windows10-2004-x64

1

Dox Tool V...I2.dll

windows10-2004-x64

3

Dox Tool V...ct.dll

windows7-x64

1

Dox Tool V...ct.dll

windows10-2004-x64

1

Dox Tool V...ip.dll

windows7-x64

1

Dox Tool V...ip.dll

windows10-2004-x64

1

Dox Tool V...er.exe

windows7-x64

8

Dox Tool V...er.exe

windows10-2004-x64

8

Dox Tool V...on.dll

windows7-x64

1

Dox Tool V...on.dll

windows10-2004-x64

1

Dox Tool V...I2.dll

windows10-2004-x64

3

Dox Tool V...ct.dll

windows7-x64

1

Dox Tool V...ct.dll

windows10-2004-x64

1

Dox Tool V...ys.exe

windows7-x64

10

Dox Tool V...ys.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Dox Tool V3 Cracked.rar

  • Size

    1.6MB

  • Sample

    241207-2rmeqatlak

  • MD5

    a80d21cb7ec32c7b82b02186fb6e7751

  • SHA1

    bdad4f5b2eaeaa763710bb10aff89215c3321474

  • SHA256

    e4bdfc5dee2559aba73e88fa3c0185821d328a1ead618e578352623687fa9ae7

  • SHA512

    d658f889912ba79b1155096148681e9bffa726743cdad9178bb3004785433f1ed74fbc18016556120ed03cdd49632ce495762a700fe8cec349156ecc5638544e

  • SSDEEP

    49152:+C8NlxWSwOcsNlkAfTqNZZUakzfTqNNZBe:F8Nl8STAA7yZUx7iZBe

Score
10/10
quasaroffice04discoveryexecutionpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

192.168.1.11:4782

Mutex

QSR_MUTEX_f39lWqYnYtP5YngtM5

Attributes
  • encryption_key

    c5q7P5jsfrwN6nB5c3mG

  • install_name

    SystemUpdate.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    WindowsUpdate

  • subdirectory

    SubDir

Targets

    • Target

      Dox Tool V3 Cracked/Dox Tool V3 Cracked.exe

    • Size

      207KB

    • MD5

      6c206cadf297a02c0af977c65637a166

    • SHA1

      7d382b1e6cefd120f9d87f894e14088e18d01c73

    • SHA256

      f4f78f44719af71a363bd50107840f53f8eebf3190505c10bac2cf7be3c29e59

    • SHA512

      2672ae02fb6b768861f469556f9818fd84866d62122f243309b5f2d13c4c907b6555e968bfb4b10cd48188fe3b2182b15ee7f425ddd14835b483d0dfe721b515

    • SSDEEP

      3072:a4lci2Fg23Ii0qLTqBGsx/2JNRnvcXCevyLNgtlr:a6ci8giNLZW2HRnvKClg

    Score
    10/10
    quasaroffice04discoveryexecutionpersistencespywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      Dox Tool V3 Cracked/Newtonsoft.Json.dll

    • Size

      659KB

    • MD5

      4df6c8781e70c3a4912b5be796e6d337

    • SHA1

      cbc510520fcd85dbc1c82b02e82040702aca9b79

    • SHA256

      3598cccad5b535fea6f93662107a4183bfd6167bf1d0f80260436093edc2e3af

    • SHA512

      964d9813e4d11e1e603e0a9627885c52034b088d0b0dfa5ac0043c27df204e621a2a654445f440ae318e15b1c5fea5c469da9e6a7350a787fef9edf6f0418e5c

    • SSDEEP

      12288:rktg1lrjC8rjICqbwNjR4xq7iiX19K7Df/SoOKQrIB+jfP:rggD7PIEjR4xq7iiXTK7D3So9AIB+jn

    Score
    1/10
    behavioral3behavioral4

    • Target

      Dox Tool V3 Cracked/Search.ProtocolHandler.MAPI2.dll

    • Size

      276KB

    • MD5

      1eff11ced2866665f101892e9d097d14

    • SHA1

      3aeec6fb969b0036c6f940db4ce1e63bde607518

    • SHA256

      a90c1a13965f534565f98b4a7c0de5804b35482e9668f3d60df8a1c039e51ad9

    • SHA512

      4c1b8423f5c43f1676e9625af0ada601e19283744992c148c0f8e79bff655c56e694a866da9fa3eab178c231457d30d371e5b469045a45d26814937bbc171fd9

    • SSDEEP

      6144:5RFuPQsVHJ+gQEBTjsX1X503HjXZIEbBdkB80NcJSTxVhDWW3W6NBKxCf+G1q:cQb1X5+HxdkB80Nc0VhDWWmW8

    Score
    3/10
    discovery
    behavioral5

    • Target

      Dox Tool V3 Cracked/Tesseract.dll

    • Size

      122KB

    • MD5

      8eef5f1c4e31c2b9a240a906d87ac0c4

    • SHA1

      d7727a01aba3a5fa71338ef1287575ce64e6cdb4

    • SHA256

      118c10d00e5b366cdef45e334ff928513a3c6e1f55d19deb3a1527796c5ca3b4

    • SHA512

      c94b376147b60e09c931440f956466255731fe5dbe021f53a30b6f0a63506f5ad1b834b96ffa38828797f0536ea13c1ae10911cffee1ba485aa3455acff4953d

    • SSDEEP

      3072:RJb7xI+LGb4Whk/u+j5qvzpTKTzEeECjSh56q0m:TH+UGdAu+FB

    Score
    1/10
    behavioral6behavioral7

    • Target

      Dox Tool V3 Cracked/data/Ionic.Zip.dll

    • Size

      480KB

    • MD5

      f6933bf7cee0fd6c80cdf207ff15a523

    • SHA1

      039eeb1169e1defe387c7d4ca4021bce9d11786d

    • SHA256

      17bb0c9be45289a2be56a5f5a68ec9891d7792b886e0054bc86d57fe84d01c89

    • SHA512

      88675512daa41e17ce4daf6ca764ccb17cd9633a7c2b7545875089cae60f6918909a947f3b1692d16ec5fa209e18e84bc0ff3594f72c3e677a6cca9f3a70b8d6

    • SSDEEP

      6144:OhagC/Mq25o9sXGtSV41OJDsTDDVUMle6ZjxLV/kHu4Bht79I9:iagxWS4msNUCe65fkHdBf9

    Score
    1/10
    behavioral8behavioral9

    • Target

      Dox Tool V3 Cracked/data/Launcher.exe

    • Size

      53KB

    • MD5

      c6d4c881112022eb30725978ecd7c6ec

    • SHA1

      ba4f96dc374195d873b3eebdb28b633d9a1c5bf5

    • SHA256

      0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32

    • SHA512

      3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981

    • SSDEEP

      768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5

    Score
    8/10
    discoveryexecutionpersistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral10behavioral11

    • Target

      Dox Tool V3 Cracked/data/Newtonsoft.Json.dll

    • Size

      659KB

    • MD5

      4df6c8781e70c3a4912b5be796e6d337

    • SHA1

      cbc510520fcd85dbc1c82b02e82040702aca9b79

    • SHA256

      3598cccad5b535fea6f93662107a4183bfd6167bf1d0f80260436093edc2e3af

    • SHA512

      964d9813e4d11e1e603e0a9627885c52034b088d0b0dfa5ac0043c27df204e621a2a654445f440ae318e15b1c5fea5c469da9e6a7350a787fef9edf6f0418e5c

    • SSDEEP

      12288:rktg1lrjC8rjICqbwNjR4xq7iiX19K7Df/SoOKQrIB+jfP:rggD7PIEjR4xq7iiXTK7D3So9AIB+jn

    Score
    1/10
    behavioral12behavioral13

    • Target

      Dox Tool V3 Cracked/data/Search.ProtocolHandler.MAPI2.dll

    • Size

      276KB

    • MD5

      1eff11ced2866665f101892e9d097d14

    • SHA1

      3aeec6fb969b0036c6f940db4ce1e63bde607518

    • SHA256

      a90c1a13965f534565f98b4a7c0de5804b35482e9668f3d60df8a1c039e51ad9

    • SHA512

      4c1b8423f5c43f1676e9625af0ada601e19283744992c148c0f8e79bff655c56e694a866da9fa3eab178c231457d30d371e5b469045a45d26814937bbc171fd9

    • SSDEEP

      6144:5RFuPQsVHJ+gQEBTjsX1X503HjXZIEbBdkB80NcJSTxVhDWW3W6NBKxCf+G1q:cQb1X5+HxdkB80Nc0VhDWWmW8

    Score
    3/10
    discovery
    behavioral14

    • Target

      Dox Tool V3 Cracked/data/Tesseract.dll

    • Size

      122KB

    • MD5

      8eef5f1c4e31c2b9a240a906d87ac0c4

    • SHA1

      d7727a01aba3a5fa71338ef1287575ce64e6cdb4

    • SHA256

      118c10d00e5b366cdef45e334ff928513a3c6e1f55d19deb3a1527796c5ca3b4

    • SHA512

      c94b376147b60e09c931440f956466255731fe5dbe021f53a30b6f0a63506f5ad1b834b96ffa38828797f0536ea13c1ae10911cffee1ba485aa3455acff4953d

    • SSDEEP

      3072:RJb7xI+LGb4Whk/u+j5qvzpTKTzEeECjSh56q0m:TH+UGdAu+FB

    Score
    1/10
    behavioral15behavioral16

    • Target

      Dox Tool V3 Cracked/data/doxsys.exe

    • Size

      1.0MB

    • MD5

      8f36caf603f3f2b192c5fd06a8e3c699

    • SHA1

      44f387152ee1fb02a83ed0be5e942fd4a733e235

    • SHA256

      0ca828c630091173cafd2663393888849459fbc9581d1fd062567d0afdf79a38

    • SHA512

      9df012c7420a4f6224907a8ac1e3293985b30c9ff829ecc9cdeea56fdcaa1c46d8e131fdd9b525e6af092065a29401c11f24390ba30969e9f3ab7e60e094dcba

    • SSDEEP

      12288:GNTWV+v54B9H+hyf2SF6L6D5hKMzPg9e0oEPABi:GWVa4bHwkSYa4gk0omA

    Score
    10/10
    quasaroffice04discoverypersistencespywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral17behavioral18

MITRE ATT&CK Enterprise v15

Tasks