Analysis
-
max time kernel
91s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-12-2024 18:40
General
-
Target
FlashingSoftwarePRO.exe
-
Size
3.1MB
-
MD5
b2f5d1078f1ed4eb8547f19b48dc5126
-
SHA1
657254864bfab24f564888e230da7f46266ecb4c
-
SHA256
4f872140210a9253c0deb66a65f0c265a194e85d99a639f406d927a1ac760903
-
SHA512
9f850a289fd4ac3b7f1e94e8ec179b99e6ae9c78cd7ef164aefd87c4d14d9f7995c60596cc1720a17afe0fc40d32715886a9fd8695c11ac6941077e45528c882
-
SSDEEP
49152:vvxI22SsaNYfdPBldt698dBcjH1uRJ6ebR3LoGduTHHB72eh2NT:vvi22SsaNYfdPBldt6+dBcjH1uRJ6Y
Malware Config
Extracted
quasar
1.4.1
svchost
7.tcp.eu.ngrok.io:10771
7.tcp.eu.ngrok.io:4782
75e27cf2-023d-4d6d-9a0d-265f3da40a2e
-
encryption_key
BDB44181C868606DFCA1741A69056AAA62DADEFC
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
300
-
startup_key
RuntimeBroker
-
subdirectory
System32
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe"C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\System32\svchost.exe"C:\Windows\system32\System32\svchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /delete /tn "RuntimeBroker" /f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PVfbMJtMSePo.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
203B
MD5692db2317d23e257545cc4260e54a637
SHA1032e5fe568f059c214ebb00b6f64e194e4337742
SHA2562049c72a1373c22b3284fc55464c91db5508dabf05980dca7fa53e34b1a1c60a
SHA51254621261081a63179f025d29bc612dfd22828b38fbd61751a2453a6fa0c9fc9ac111d552fc5713791e11256fcb82983a2f7fae4e20ee46c34fa5e2aba458e6c4
-
Filesize
3.1MB
MD5b2f5d1078f1ed4eb8547f19b48dc5126
SHA1657254864bfab24f564888e230da7f46266ecb4c
SHA2564f872140210a9253c0deb66a65f0c265a194e85d99a639f406d927a1ac760903
SHA5129f850a289fd4ac3b7f1e94e8ec179b99e6ae9c78cd7ef164aefd87c4d14d9f7995c60596cc1720a17afe0fc40d32715886a9fd8695c11ac6941077e45528c882
-
Filesize
320KB
-
Filesize
10.8MB
-
Filesize
712KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
3.1MB