Resubmissions
31-12-2024 21:35
241231-1fmqnszqft 1031-12-2024 21:27
241231-1axzfssnek 1016-12-2024 05:27
241216-f5kx6awmh1 1014-12-2024 20:23
241214-y6jqlasrhy 1014-12-2024 20:22
241214-y51bysvmbk 1014-12-2024 20:13
241214-yzc98svkfr 1014-12-2024 13:14
241214-qgw1masrcy 1014-12-2024 13:12
241214-qfk7qsvlaq 312-12-2024 18:19
241212-wymq6ssnat 10General
-
Target
241127-xqsswsslej_pw_infected.zip
-
Size
12KB
-
Sample
241231-1axzfssnek
-
MD5
79fd058f7d06cc022de1786507eb26e3
-
SHA1
86590ec8ed73fd2951587561dff5387e9e0e18e6
-
SHA256
cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d
-
SHA512
8316ac3782c05a3ebea4ca0868e33512e5ef29b251498f3af5ab261cd2010dec6b0eca8a57adcadb0d70653be2e22c0c2c137c7a38ec7b3d5ebbdd02e09c0227
-
SSDEEP
384:sBfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWT:wfACW6Dr8HWTHWT
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.100.18:4782
2cbe985c-9a4f-4f1f-a761-cd05d5feff4b
-
encryption_key
9493303F9F1D303190787B3D987F2DCB2BAF3CFD
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
remcos
RemoteHost
192.210.150.26:8787
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-R1T905
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
rhadamanthys
https://185.196.11.237:9697/f002171ab05c7/9xqdctgg.ir1fr
Extracted
quasar
1.4.1
Helper Atanka
193.203.238.136:8080
14f39659-ca5b-4af7-8045-bed3500c385f
-
encryption_key
11049F2AEBDCF8E3A57474CD5FBA40FB2FFC5424
-
install_name
diskutil.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
diskutil
-
subdirectory
diskutil
Extracted
asyncrat
0.5.8
Default
6.tcp.eu.ngrok.io:12925
hDtjdONRXVCh
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
stealc
QQtalk
http://154.216.17.90
-
url_path
/a48146f6763ef3af.php
Targets
-
-
Target
241127-xqsswsslej_pw_infected.zip
-
Size
12KB
-
MD5
79fd058f7d06cc022de1786507eb26e3
-
SHA1
86590ec8ed73fd2951587561dff5387e9e0e18e6
-
SHA256
cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d
-
SHA512
8316ac3782c05a3ebea4ca0868e33512e5ef29b251498f3af5ab261cd2010dec6b0eca8a57adcadb0d70653be2e22c0c2c137c7a38ec7b3d5ebbdd02e09c0227
-
SSDEEP
384:sBfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWT:wfACW6Dr8HWTHWT
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Vidar Stealer
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Stormkitty family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
XMRig Miner payload
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Async RAT payload
-
DCRat payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Modifies system executable filetype association
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1