Overview

overview

10

Static

static

3

4363463463...63.exe

windows7-x64

10

4363463463...63.exe

windows10-2004-x64

Resubmissions

16-01-2025 17:37

250116-v7e71s1ncy 10

16-01-2025 17:30

250116-v27eba1lew 10

16-01-2025 17:29

250116-v232ws1let 3

16-01-2025 17:29

250116-v21lrs1ldz 3

16-01-2025 17:27

250116-v1g32a1qfk 10

16-01-2025 09:47

250116-lsajjsvrgn 10

14-01-2025 12:40

250114-pwhacaykaz 10

14-01-2025 11:59

250114-n5y4saxngy 10

13-01-2025 14:41

250113-r2dv8avrgs 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4363463463464363463463463.exe.zip

  • Size

    4KB

  • Sample

    250116-lsajjsvrgn

  • MD5

    7b2b0ccc6317a6becadaf5e02311202e

  • SHA1

    ccad99b8fad61369101e068f0c3a5bec9cfa309f

  • SHA256

    bd948aeb2b607b34e8d32f22b9e5aee402057adebae4a2e0c70bd666e688f1f8

  • SHA512

    b7af04ee0792d2a13ffd7013e7c5f98cf037f06f8597e4f3261af04252137483ff7fcb7db28c60a543f130ac65307cd1c7a831c2267fa78a91f9acdcc535744a

  • SSDEEP

    96:ALOzCoGgabugh2Yu8fjMIsSv3JGHUrD5gf2jxkS7xQIKWV7YNgGptaT+YaL:ALObGgabf88jgcxR1NWIXWgGpo74

Score
10/10
quasarstealcoffice04voov1bootkitdiscoverypersistencespywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.43.241:4782

Mutex

0517af80-95f0-4a6d-a904-5b7ee8faa157

Attributes
  • encryption_key

    6095BF6D5D58D02597F98370DFD1CCEB782F1EDD

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svhost

  • subdirectory

    SubDir

Extracted

Family

stealc

Botnet

Voov1

C2

http://154.216.17.90

Attributes
  • url_path

    /a48146f6763ef3af.php

Targets

    • Target

      4363463463464363463463463.exe.bin

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    Score
    10/10
    quasaroffice04discoveryspywaretrojanstealcvoov1bootkitpersistencestealer

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks