aresloader

Sharing

Copy URL

Twitter E-mail

General

Target

dogecoin-1.14.9-win32.zip
Size

22.4MB
Sample

250109-n4c5xs1ngm
MD5

61feb1d444654b7f757c25397701bd9e
SHA1

bb1b8f3b3b3818e99b069c5332c6f3293f9f7af2
SHA256

3d5f7b3325f260dc291e2b1c24c54818d2edcde5527ef31168016ae9aad25fc6
SHA512

d2f4d91e9ac9d0e4b1896d6b4ef979fee14521fa79972ac379c6f22e22235a0b2a23c3b792d24fe109722fb6feb43abc138dc5f1c47e85cbf0dad68d6be0249b
SSDEEP

393216:LIjwwCdNQ6aWrOIUweRBOhRPOrfNCg/LryUVsRKlcEdxkbfFX7h7kg7VoJ:LIkwONQ6aWa0ezOhRW5PHLuKLxqog74

Score

10^/10

Malware Config

Extracted

Family

aresloader

http://127.0.0.1:22555

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

RAJARUS817.mooo.com:1555

Mutex

QSR_MUTEX_W6w7FxAeflnmbVB0X8

Attributes

encryption_key
Tp9dx8nrMunH9hPbac6o
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  dogecoin-1.14.9-win32/daemon/dogecoin-cli.exe
- Size
  
  3.1MB
- MD5
  
  e2a7f28a056c9f054e0e2c5811c56aaa
- SHA1
  
  3d8b4d9d8d920ba924e98ad2ccdf6aa08bb77065
- SHA256
  
  a229bf2c62e0302db9f3814f046619a45ea185494ad79f1fea8a950876677766
- SHA512
  
  3e8ce348b53e9ead9de7aa494100055e92bcd9c02b13fb77d9bb4954e59c22e554ba40062fb66a82f6fdbdddaa55faee415b945aeb595df9bc5618307b632738
- SSDEEP
  
  98304:D7ooEAQrh2kWoyDAjfLr5I5WwJSZsPqTWURVlDvbydxoYRzQ2gCKp:D7oqw2kWo8AjfLr5I5WwJSZsPqTWURV9
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  dogecoin-1.14.9-win32/daemon/dogecoind.exe
- Size
  
  10.8MB
- MD5
  
  bd105bf449a53559a1f03bc3cee01201
- SHA1
  
  beb01382e4f15f3ba0073816dcefdec05206bf6a
- SHA256
  
  a2ea0f21d7b418869651c791d8973c983cca3964aee225d03fbf9d72a2a18b31
- SHA512
  
  8d8605bfa802ea1bc491e1a9a63b7d01ac73f45b9e29777aacdc0d82fa85d7a6100b53b3ab6fe83c110444ef7e391e6f9b502b3c2f78da96918156b93135a060
- SSDEEP
  
  196608:6rGbOYFXKiN8lytROoQIv+vaMiYYkO1KNT7muZemqBFrKUr8920vqb8i9lpmP5sM:f1XKAQ8CzKuZenbZLbXuHSb4AjbfMkpq
Score

10^/10

aresloader discovery loader
- AresLoader
  AresLoader is a loader and downloader written in C++.
  loader aresloader
- Aresloader family
  aresloader
behavioral3 behavioral4
- Target
  
  dogecoin-1.14.9-win32/dogecoin-qt.exe
- Size
  
  34.1MB
- MD5
  
  f421c6d2c8e4a07d7be1a13a4cbe6c82
- SHA1
  
  6f25ceaeeaf69d7dd662f39c46bcb4470cac69c6
- SHA256
  
  651f67cb96ed59fa41171741443710eb47a17d6173a925ad57a4f142bf50842a
- SHA512
  
  d99873cceb05d3430ebe4235298e8649c20c13977e230bcd7bca92dd68ffde5a55b24ce241ea92879b005117414adbd18149a7984089b6ad3b0e5e2a3fc8889f
- SSDEEP
  
  393216:HPvtaqFj3oP1L1d00XqDtb4knbfRVBhHjcF7X+lx+adk5j4xbRVeawa9AV88NrbQ:HPvtaq3oP15chHWX+v+drlTMx
Score

10^/10

aresloader discovery loader
- AresLoader
  AresLoader is a loader and downloader written in C++.
  loader aresloader
- Aresloader family
  aresloader
behavioral5 behavioral6
- Target
  
  dogecoin-1.14.9-win32/dogecore.exe
- Size
  
  1.4MB
- MD5
  
  a412fa073a2b48c547f7afd8a9341d51
- SHA1
  
  c85ba3bc4a0352db1d6e8da0002cfcb5a8006aed
- SHA256
  
  631d517636bf46e596ec6b150c19165e89a900290fcfda2d63d914f64e6ba7cd
- SHA512
  
  e11e6a15d17c7d72efa064d1bf1712a5f170055cf4e657df7db307dbca4a5bdc390496f11735f4be2b8c1197042c61cb13ddcff695756ffd08cf9841e40c2664
- SSDEEP
  
  12288:6tGo9MjVyuQxY+wTDCWJZfeXetmPtWb1tt1CX1Rfg1i61xSxbN1Km1RQQI13h1AC:p7rXDBPeXALlSVLukdoo8q
Score

10^/10

quasar office04 discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  dogecoin-1.14.9-win32/uninstall.exe
- Size
  
  479KB
- MD5
  
  67d544d525bb4215883387ed293306f3
- SHA1
  
  a22c55be841dc7fefb893a5dec32cf236ed7ed61
- SHA256
  
  d3d9902cd4bd86b91a7093c58c3a7259a00c5d7fee672123b540aca9ca55e704
- SHA512
  
  700f390f0e3de76de843cc48b6f90acb77b03bacf2b5941ed05493ce14b992479f98e8827656ca35f40ef0576fe452eab728c99ed3c88c0085f0bfb38d077111
- SSDEEP
  
  3072:ig6nXHTSMyxWxVIkvfG5fJK7NpkXbL6XiDUqN16ZVdzCthvAEijAumv7s8CJBcUy:4nNywR4Y7NpyHaE12zshvAhEfkjMPRD
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Aresloader family

AresLoader

Aresloader family

Quasar RAT

Quasar family

Quasar payload

Drops startup file

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10