Overview

overview

10

Static

static

5

2f7103e6c4...bN.exe

windows7-x64

10

2f7103e6c4...bN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2024 05:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f7103e6c45fd0f91657b9104ec213662ab46322eb5d8790144568b45d901f1bN.exe

  • Size

    1.2MB

  • MD5

    ba37fbfa3aeaeb232642fb5752862330

  • SHA1

    40f6e7246792025c8954d9a45c43a04e7c3b2fd5

  • SHA256

    2f7103e6c45fd0f91657b9104ec213662ab46322eb5d8790144568b45d901f1b

  • SHA512

    8f8f0e396218a538e03ed430cffaaf8cb4951f979ccef35961123eddfef282e018bc02c50bccede92b1ee3a9e14615ba1af495d600a471452de03ee70674046a

  • SSDEEP

    24576:srORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaFjUSbRUu5+Jitsa+AxSp:s2EYTb8atv1orq+pEiSDTj1VyvBaFRbY

Score
10/10
asyncratquasarvenomratcpudefaultdiscoveryexecutionratspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

CPU

C2

ejss.duckdns.org:2020

Mutex

QSR_MUTEX_sgY7Anj7tlDvpiNxYU

Attributes
  • encryption_key

    H7ySIe3YXqpHozYioZRn

  • install_name

    BlustacksHelp.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    BlustacksHelp

  • subdirectory

    BlustacksHelp

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

104.244.72.108:9999

Mutex

ncfsoe5550321hojhanhrzxqoijhkjhgjkhgf

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • VenomRAT 2 IoCs

    Detects VenomRAT.

    rat
  • Venomrat family
    venomrat
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 30 IoCs
  • Suspicious use of SendNotifyMessage 30 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f7103e6c45fd0f91657b9104ec213662ab46322eb5d8790144568b45d901f1bN.exe
    "C:\Users\Admin\AppData\Local\Temp\2f7103e6c45fd0f91657b9104ec213662ab46322eb5d8790144568b45d901f1bN.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 1 /RL HIGHEST /tn BlustacksHelper /tr %appdata%\Logistic\System.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /mo 1 /RL HIGHEST /tn BlustacksHelper /tr C:\Users\Admin\AppData\Roaming\Logistic\System.exe /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1868
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 1 /RL HIGHEST /tn Blustacks /tr %appdata%\Logistic\svhost.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /mo 1 /RL HIGHEST /tn Blustacks /tr C:\Users\Admin\AppData\Roaming\Logistic\svhost.exe /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3452
    • C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
      PowerShell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:appdata
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:756
  • C:\Users\Admin\AppData\Roaming\Logistic\System.exe
    C:\Users\Admin\AppData\Roaming\Logistic\System.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4092
  • C:\Users\Admin\AppData\Roaming\Logistic\svhost.exe
    C:\Users\Admin\AppData\Roaming\Logistic\svhost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t0y1tgdd.hgx.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Logistic\System.exe
    Filesize

    348KB

    MD5

    30f290b9b4219713e4b49a726019fe68

    SHA1

    2fdb773ad1436b964d712ece9147c1b2f9973ad8

    SHA256

    55cf1e6f2e5c517b59374ab01d7ace7f55a8944ecd3da5d0504704b796865ef9

    SHA512

    54bf270b2075fbbc039b431e8802ea4cae4131880f9b95d4737cbde2e63c302f7e5f60a9aa92ff8b10b2a20e8f777aaad626587efbde4621530a9f66501e0aa9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Logistic\svhost.exe
    Filesize

    74KB

    MD5

    248232d65b1270519512905808e12d44

    SHA1

    dede341cac2a986edda5a3a08e5f5a5ea37811a1

    SHA256

    dfcc60537938dac1dee3d4b4163ca33c61a9e3bae98fe63cf2b1addbd3aa4e5a

    SHA512

    9440c013516e9a2c298b2cff2069f68a1d21c6d18bf7780bea2c0bf047a6f3b413cd279f341373d93ee09e9b6b06f825d7f6d123a6e4c07e55c11e4f677af4f0

    Download Submit

  • memory/756-11-0x0000026B49B60000-0x0000026B49B82000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2872-29-0x0000000000900000-0x0000000000918000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4092-26-0x00000000007A0000-0x00000000007FE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/4092-30-0x0000000005850000-0x0000000005DF4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4092-32-0x00000000051F0000-0x0000000005282000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4092-33-0x00000000052A0000-0x0000000005306000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4092-34-0x0000000005820000-0x0000000005832000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4092-35-0x0000000006420000-0x000000000645C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4092-37-0x00000000067A0000-0x00000000067AA000-memory.dmp

    Filesize

    40KB

    Download