Overview

overview

10

Static

static

5

2f7103e6c4...bN.exe

windows7-x64

10

2f7103e6c4...bN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 05:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f7103e6c45fd0f91657b9104ec213662ab46322eb5d8790144568b45d901f1bN.exe

  • Size

    1.2MB

  • MD5

    ba37fbfa3aeaeb232642fb5752862330

  • SHA1

    40f6e7246792025c8954d9a45c43a04e7c3b2fd5

  • SHA256

    2f7103e6c45fd0f91657b9104ec213662ab46322eb5d8790144568b45d901f1b

  • SHA512

    8f8f0e396218a538e03ed430cffaaf8cb4951f979ccef35961123eddfef282e018bc02c50bccede92b1ee3a9e14615ba1af495d600a471452de03ee70674046a

  • SSDEEP

    24576:srORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaFjUSbRUu5+Jitsa+AxSp:s2EYTb8atv1orq+pEiSDTj1VyvBaFRbY

Score
10/10
asyncratquasarvenomratcpudefaultdiscoveryexecutionratspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

CPU

C2

ejss.duckdns.org:2020

Mutex

QSR_MUTEX_sgY7Anj7tlDvpiNxYU

Attributes
  • encryption_key

    H7ySIe3YXqpHozYioZRn

  • install_name

    BlustacksHelp.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    BlustacksHelp

  • subdirectory

    BlustacksHelp

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

104.244.72.108:9999

Mutex

ncfsoe5550321hojhanhrzxqoijhkjhgjkhgf

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • VenomRAT 2 IoCs

    Detects VenomRAT.

    rat
  • Venomrat family
    venomrat
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 29 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f7103e6c45fd0f91657b9104ec213662ab46322eb5d8790144568b45d901f1bN.exe
    "C:\Users\Admin\AppData\Local\Temp\2f7103e6c45fd0f91657b9104ec213662ab46322eb5d8790144568b45d901f1bN.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 1 /RL HIGHEST /tn BlustacksHelper /tr %appdata%\Logistic\System.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /mo 1 /RL HIGHEST /tn BlustacksHelper /tr C:\Users\Admin\AppData\Roaming\Logistic\System.exe /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2784
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 1 /RL HIGHEST /tn Blustacks /tr %appdata%\Logistic\svhost.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /mo 1 /RL HIGHEST /tn Blustacks /tr C:\Users\Admin\AppData\Roaming\Logistic\svhost.exe /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2780
    • C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
      PowerShell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:appdata
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2708
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {05F5EEA9-4B38-46B9-A94B-7BDA18B8C461} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Users\Admin\AppData\Roaming\Logistic\svhost.exe
      C:\Users\Admin\AppData\Roaming\Logistic\svhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2832
    • C:\Users\Admin\AppData\Roaming\Logistic\System.exe
      C:\Users\Admin\AppData\Roaming\Logistic\System.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Logistic\System.exe
    Filesize

    348KB

    MD5

    30f290b9b4219713e4b49a726019fe68

    SHA1

    2fdb773ad1436b964d712ece9147c1b2f9973ad8

    SHA256

    55cf1e6f2e5c517b59374ab01d7ace7f55a8944ecd3da5d0504704b796865ef9

    SHA512

    54bf270b2075fbbc039b431e8802ea4cae4131880f9b95d4737cbde2e63c302f7e5f60a9aa92ff8b10b2a20e8f777aaad626587efbde4621530a9f66501e0aa9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Logistic\svhost.exe
    Filesize

    74KB

    MD5

    248232d65b1270519512905808e12d44

    SHA1

    dede341cac2a986edda5a3a08e5f5a5ea37811a1

    SHA256

    dfcc60537938dac1dee3d4b4163ca33c61a9e3bae98fe63cf2b1addbd3aa4e5a

    SHA512

    9440c013516e9a2c298b2cff2069f68a1d21c6d18bf7780bea2c0bf047a6f3b413cd279f341373d93ee09e9b6b06f825d7f6d123a6e4c07e55c11e4f677af4f0

    Download Submit

  • memory/1872-22-0x0000000001360000-0x00000000013BE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2708-4-0x0000000002B00000-0x0000000002B80000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2708-5-0x000000001B770000-0x000000001BA52000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2708-6-0x0000000002790000-0x0000000002798000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2832-23-0x0000000001390000-0x00000000013A8000-memory.dmp

    Filesize

    96KB

    Download