Overview

overview

10

Static

static

3

CtsJrk922y...hu.dll

windows10-2004-x64

3

Gm8nhdPr6F...b8.dll

windows10-2004-x64

3

HsSGqhA8hLnRhzEU.exe

windows10-2004-x64

10

N3t5RKDARs...s5.dll

windows10-2004-x64

3

Uy9ey23Uew...rM.dll

windows10-2004-x64

3

WagxdrGrZF...Gd.dll

windows10-2004-x64

3

XS3RCrw6cja4k37R.exe

windows10-2004-x64

10

apc.exe

windows10-2004-x64

10

eQc4AK3Pa7...ma.dll

windows10-2004-x64

3

kXAm48Kxap...HJ.dll

windows10-2004-x64

3

ran.exe

windows10-2004-x64

3

settup.exe

windows10-2004-x64

10

t44fqRsSRC...7a.dll

windows10-2004-x64

3

yQfWHCcHZB...8p.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FragStreet Skid Operation Archive (1).zip

  • Size

    19.6MB

  • Sample

    250101-bvbjhsyrgy

  • MD5

    984a0d8464b0aa4bee7b81408bea89bc

  • SHA1

    450058835739f6995ac3004fc47181cfbafa82e2

  • SHA256

    742b7f6f9540d326cc531b10eee061dbe0bcb385ff1e0d6c854f6b1944be7a4c

  • SHA512

    e8e8e637246906a7d907f9815ca6a6d1bf8fc5af59e47ee0368c1d7e3744dec8a8a0ef0f884119b041c7ea62ecb6c913fba528cc774065d14a6e785950de1cc3

  • SSDEEP

    393216:VnRAGHHrekplInGdI1FQzxbeBNDL+CJ3yRXn9UjsB8ummfV:VRFrekma2FeODX26IB8Zm9

Score
10/10
quasarsettingsdiscoveryevasionexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • encryption_key

    UYuffn7sjORhWaLRoveU

  • reconnect_delay

    1200

  • startup_key

    S !qi��QrD�ج�

Extracted

Family

quasar

Version

2.1.0.0

Botnet

settings

C2

xetica.ddns.net:4782

127.0.0.1:4782

samlit.ddns.net:4782

costic.bounceme.net:4782
Mutex

Cyber_Wire_hAivDNiQ0KExWgVVWh

Attributes
  • encryption_key

    YK2lGttIrVUe0cTViKFu

  • install_name

    settings.exe

  • log_directory

    counterstrikego

  • reconnect_delay

    3000

  • startup_key

    counterstrikeload

  • subdirectory

    counterstrikego

Targets

    • Target

      CtsJrk922yCsVz5Ft2hu.ViR

    • Size

      136KB

    • MD5

      025ef85aa978697c32e03486dcea78bb

    • SHA1

      aed8d9e8f56679591d73ee96db9463db3fbf1feb

    • SHA256

      16dcd685d0210a0bf7378bbfac6cef7514fa4eec93968708801dae28f243be5f

    • SHA512

      350995d0c1207130dc55b706f400639afd3f608428a45e1754964224d17d7bc9daba6a49bf9f1b787575c6045ba1fbfc30ae41531c8c2ce538da987e0307b367

    • SSDEEP

      3072:euv02y7DXxgppeKwgBSRint5ceZzHkmFIlxe40RkL:ec4ELwgARwt5ceXFIlxrJL

    Score
    3/10
    discovery
    behavioral1

    • Target

      Gm8nhdPr6FaS3JrvM3b8.ViR

    • Size

      132KB

    • MD5

      a1dd2f2a93306661c6ad4132bdfa6b3f

    • SHA1

      98cd58616f28912f1f1e20665c5fc50af7f9d39d

    • SHA256

      482aaffd5576b36462ece9e1a996dfc6aa41a22b7675de67a9fa1e51d47501ae

    • SHA512

      99cf6497efa1b57c358498fe98c0ae7fe4a033887a42710c4e7578a004d6ae1f6c69a57519e036a8cf1c43f86105ad8e1574237cfa0947d340880b857e598c10

    • SSDEEP

      3072:lrCsX1HMHhYdwhrgjUG4t5ceLsHkmFIMxe40RkL:lrJj+rg4rt5ce4FIMxrJL

    Score
    3/10
    discovery
    behavioral2

    • Target

      HsSGqhA8hLnRhzEU.ViR

    • Size

      2.9MB

    • MD5

      cff6d32fcf161fee5537d671088a9c69

    • SHA1

      b7e25d124e1104d9f5e4db75189d1040523166c8

    • SHA256

      28152bd25dcb79c1fe7f7fc8a8ca1990567dc9bc46385139908978a1bdf61c37

    • SHA512

      5e63001d649d80634273e8cdb7143d7c423f2b2e210e4f16982126726bf0ff6792edc6ffc131fc89826d5ff9f2ab396d0f220fbaf305682eb0495f55080921e8

    • SSDEEP

      49152:tIe8YWczZM9/RYOcsTo1pWYXb7PfbRpRhtjsA5LZVVIbiF30QHWgwQXST:tGYLq9/RYOlTo//DRpRHjsQZJNLeQXc

    Score
    10/10
    quasardiscoveryevasionspywaretrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      N3t5RKDARsCt3RFW6gs5.ViR

    • Size

      432KB

    • MD5

      2349cd780eac65d923afb73813755364

    • SHA1

      f065e638cde41bac4bf25d44c06d4e5ab9cdb1dd

    • SHA256

      b1426321f796797ed6d5364f2b9e151c688d0990ab4728cc8be77fe99b16cf73

    • SHA512

      fd5a01f18c9924286ba02706f98e14114079bee8e0ff38a872ed3b9359216668126ac693f665d402218ce53e03bdc1fc42923c00f2e3201ac65fb9573574bce2

    • SSDEEP

      6144:4/5XfS/Z6VM/Jh9+oepIytYBdTQW1uuB06ExTTUNZMu0DWRj2VqHc3J:4hXfS/4VM/Jh9l5tZVUINyZKRji3J

    Score
    3/10
    discovery
    behavioral4

    • Target

      Uy9ey23Uewvje3r5nUrM.ViR

    • Size

      432KB

    • MD5

      bd4abcced01d22f1b083552bc3e05d76

    • SHA1

      389d6a6f0a8348bb833385d6ecac4fb4eb7a3a78

    • SHA256

      0366785403e8e7ca8bb25190c4f4fd50f2d50533f4d8bac2765f277bd803d1e2

    • SHA512

      f8bfaa7e3ee2961c12f4970f1cc088d0d3cc3bc992a11e31d4a67f046cd8f0475eef634410fb36bf1f0368658cf74462ef64d54d9ddeaef127d42604436d20a0

    • SSDEEP

      6144:vpWcLvO/wIdXhnCpeG7TQWr+eZ3hH4otpc+R9RD1Kbw3F:vpWczO/wIdXQPFZ3tvtyo9RDD3F

    Score
    3/10
    discovery
    behavioral5

    • Target

      WagxdrGrZF8Wh8KQzsGd.ViR

    • Size

      132KB

    • MD5

      e89abdf4d6b5233150c8730a2fb41382

    • SHA1

      c97a026fb413fd3b2f9b6450eb80acaea3b3adc6

    • SHA256

      232ba926c9c1263c1c453c50b70840d202e71b4f0c9730df852fccc71158449d

    • SHA512

      c59519eb58f742da50a63a2bfeab3873f615fa0d5e7bc464bdf36fadfabd7bca2a1464efc3853a819bd7db817d544a35ba851b7196f674822ff2b0cddacffdbf

    • SSDEEP

      3072:LqO7K44IwYklrSg8Q5nt5ce54HkmFIDRe40RkL:LAI6SgVtt5ceeFIDRrJL

    Score
    3/10
    discovery
    behavioral6

    • Target

      XS3RCrw6cja4k37R.ViR

    • Size

      2.9MB

    • MD5

      f3ba5347ffc2817bdc668d04129696e0

    • SHA1

      723e86d39d02c19baf20c963104f0c7ffc8c3825

    • SHA256

      22649877c97dc3199e05f47cdbb10feb88b890091fde5281296cf014be1f087e

    • SHA512

      df4044b170519f5cd5d8126078cb252bea2b739b6aca524b1cb3eed5db1fd449a83aa6461ba303d95ad65ea043879b4389a942b234d95d502861e7060f8a2d92

    • SSDEEP

      49152:ibv+MKwSlvMN3O8/K9UJctvncMD8x8aDuctVNtDbui5EAq40sL1JzSLeKF:4vHKHhcm/pcMIxL5DbwH4NhJW

    Score
    10/10
    quasardiscoveryevasionspywaretrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      apc.ViR

    • Size

      10.0MB

    • MD5

      1f207fcc72414a370519449b12e39a44

    • SHA1

      0c3b895a73bbd8af2a759c8fa91a34a50a706e68

    • SHA256

      d65b0f0fe9f34ed76a2a00737fba3b9b9613337cf3ba5c4d933844f67cdcd94f

    • SHA512

      188f081a964e94e68247a5375c99398ad232188462a33df655c87cad48fbd1763e0f7378e5381040a3d04da2477a0492c31875a5819c57315de16e2865d5aa78

    • SSDEEP

      196608:NlB9RAwnh0Lwl2srNygSRkpmY8jYIn2dEAI1RbQRVIbFN6UqeBmc1RL:TnRAGHHrekplInGdI1FQzxbeBNDL

    Score
    10/10
    quasarsettingsdiscoveryexecutionspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      eQc4AK3Pa7bAmp6b8gma.ViR

    • Size

      468KB

    • MD5

      07da7a30c7c6c64264fcd80e66d59db1

    • SHA1

      11e62ed62744a29962ae522340bbee7382363e25

    • SHA256

      cc7f7fd56b62ebe7d4a8b8ee07ee170350149dae643ce0b002e7daf08e113545

    • SHA512

      ec1f612d49896cfdc74f176a9dfae18a34322173125aec25f19e0fccaf62f8aa5f5f568b4894f553bc045b67997c26a410a72b7d9b5a00c61eab4624cbeab10f

    • SSDEEP

      12288:0RvMxmp/bqplWdBCu5DVA5BLR+51H/XOp/:058S/OvcQlR+5l/XC

    Score
    3/10
    discovery
    behavioral9

    • Target

      kXAm48KxapgrcVSF2hHJ.ViR

    • Size

      144KB

    • MD5

      b8a139937e4030db1dd1fb7acf31d65b

    • SHA1

      f03364260cfd275197cf8ee67ac47a28137695f1

    • SHA256

      b260941683c04fd2fc44334f89e5edf4bbacd2b0bf227ba9ed555b7ce4f1d9ed

    • SHA512

      5c2ae6976b3d357171c317da0bf02616d287c282d1d6db4ed3439affa66eab5d21b9967f29774e890b2d496bc46ef73b82797d8cde6a414ecc67e1b8d21ee33c

    • SSDEEP

      3072:IqO7K44IwYklrSg8Q5nt5ce54HkmFIdRe40RkLnEDJ/6JdSf:IAI6SgVtt5ceeFIdRrJLni/6J0

    Score
    3/10
    discovery
    behavioral10

    • Target

      ran.ViR

    • Size

      299KB

    • MD5

      acacecf78dc7c8ef8b23609236ca89c7

    • SHA1

      be0173f10ee8483b801a0bd58b96b9bcc437cd9e

    • SHA256

      8f340f5705f75c07e978ba7d7f3347ce25e7dd10d85802341d75d0045a7234e7

    • SHA512

      38709d9ee5239daf0fd26d26d2dfaa2de638033d8e64e4cfcd560b895325c8b68e464c8e32def91b045d4859aa1e46f1df5eb9f4aa5d6fb5a726692928f1f636

    • SSDEEP

      6144:GkP5HeFblXMcWAwWwb1spweUTs61gHf5cbjw6Uneaod:NhHeFZXMcWAwWwb1yweUTsW1br

    Score
    3/10
    discovery
    behavioral11

    • Target

      settup.ViR

    • Size

      2.5MB

    • MD5

      588fe8868e13672fc1fdea352bde4e42

    • SHA1

      bea94309199c708aaca32782b3ea8dd520471b63

    • SHA256

      d774dc630950d2b7826432c0cd8325d399940204fdafd67eed5fbe21f9536046

    • SHA512

      d17c312ecce5f1b8502308d3d69539744a8b9b680a6512753d0ec49d9da0643db99df7459fb02c47fe81c310c359c89639592c0d9f9e4e1a6d8d8765fc619bfb

    • SSDEEP

      49152:F1u2RjaCzRPaDysOZZ4fYIu6pBcTDu39HgKUFmzS0NbIB+grQQms:aYuMmfnBcP69HgKTC/r

    Score
    10/10
    quasardiscoveryevasionspywaretrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      t44fqRsSRCmz8Q8Nxk7a.ViR

    • Size

      432KB

    • MD5

      bd4abcced01d22f1b083552bc3e05d76

    • SHA1

      389d6a6f0a8348bb833385d6ecac4fb4eb7a3a78

    • SHA256

      0366785403e8e7ca8bb25190c4f4fd50f2d50533f4d8bac2765f277bd803d1e2

    • SHA512

      f8bfaa7e3ee2961c12f4970f1cc088d0d3cc3bc992a11e31d4a67f046cd8f0475eef634410fb36bf1f0368658cf74462ef64d54d9ddeaef127d42604436d20a0

    • SSDEEP

      6144:vpWcLvO/wIdXhnCpeG7TQWr+eZ3hH4otpc+R9RD1Kbw3F:vpWczO/wIdXQPFZ3tvtyo9RDD3F

    Score
    3/10
    discovery
    behavioral13

    • Target

      yQfWHCcHZBxkae69c58p.ViR

    • Size

      432KB

    • MD5

      bd4abcced01d22f1b083552bc3e05d76

    • SHA1

      389d6a6f0a8348bb833385d6ecac4fb4eb7a3a78

    • SHA256

      0366785403e8e7ca8bb25190c4f4fd50f2d50533f4d8bac2765f277bd803d1e2

    • SHA512

      f8bfaa7e3ee2961c12f4970f1cc088d0d3cc3bc992a11e31d4a67f046cd8f0475eef634410fb36bf1f0368658cf74462ef64d54d9ddeaef127d42604436d20a0

    • SSDEEP

      6144:vpWcLvO/wIdXhnCpeG7TQWr+eZ3hH4otpc+R9RD1Kbw3F:vpWczO/wIdXQPFZ3tvtyo9RDD3F

    Score
    3/10
    discovery
    behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks