Overview

overview

10

Static

static

3

4363463463...63.exe

windows7-x64

10

4363463463...63.exe

windows10-2004-x64

Resubmissions

16-01-2025 17:37

250116-v7e71s1ncy 10

16-01-2025 17:30

250116-v27eba1lew 10

16-01-2025 17:29

250116-v232ws1let 3

16-01-2025 17:29

250116-v21lrs1ldz 3

16-01-2025 17:27

250116-v1g32a1qfk 10

16-01-2025 09:47

250116-lsajjsvrgn 10

14-01-2025 12:40

250114-pwhacaykaz 10

14-01-2025 11:59

250114-n5y4saxngy 10

13-01-2025 14:41

250113-r2dv8avrgs 10

Analysis

  • max time kernel
    67s
  • max time network
    79s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2025 09:47

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    4363463463464363463463463.exe

  • Size

    10KB

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score
10/10
quasarstealcvoov1bootkitdiscoverypersistencespywarestealertrojan

Malware Config

Extracted

Family

stealc

Botnet

Voov1

C2

http://154.216.17.90

Attributes
  • url_path

    /a48146f6763ef3af.php

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
    "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Users\Admin\AppData\Local\Temp\Files\01.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\01.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2032
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 340
        3⤵
        • Program crash
        PID:2068
    • C:\Users\Admin\AppData\Local\Temp\Files\krgawdtyjawd.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\krgawdtyjawd.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1076
    • C:\Users\Admin\AppData\Local\Temp\Files\Petya.A.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Petya.A.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of AdjustPrivilegeToken
      PID:1036
    • C:\Users\Admin\AppData\Local\Temp\Files\DriverHost.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\DriverHost.exe"
      2⤵
      • Executes dropped EXE
      PID:4296
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2032 -ip 2032
    1⤵
      PID:3340

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Files\01.exe
      Filesize

      188KB

      MD5

      918a571bfbc16e88f1abd23ebbade166

      SHA1

      d36c0de4368efa2bb733969208d0a3449f21afdc

      SHA256

      819d0b70a905ae5f8bef6c47423964359c2a90a168414f5350328f568e1c7301

      SHA512

      088202b310fea6ab6b92188d9be958eb3b9a078712002be38f7b23e7f91a629bb7fcd54bc6859d163496941c02addfa99cbcdf672d735dff4b89e5ae857e7d82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Files\DriverHost.exe
      Filesize

      3.1MB

      MD5

      be32c281194c0a859cca202a418a16a3

      SHA1

      e2c3885c8bc9b24b492f68a2c69ebf0c488abebc

      SHA256

      9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36

      SHA512

      541266a8f6b23b74d40c9d2656adb963c92ed5f8f2f239aa472649958f934f29a37afd42dfe27e9dfc2991c529dc949bffb6766223593c9ff7418778ad9bd36f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Files\Petya.A.exe
      Filesize

      225KB

      MD5

      af2379cc4d607a45ac44d62135fb7015

      SHA1

      39b6d40906c7f7f080e6befa93324dddadcbd9fa

      SHA256

      26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

      SHA512

      69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Files\krgawdtyjawd.exe
      Filesize

      239KB

      MD5

      d4a8ad6479e437edc9771c114a1dc3ac

      SHA1

      6e6970fdcefd428dfe7fbd08c3923f69e21e7105

      SHA256

      a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b

      SHA512

      de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07

      Download Submit

    • memory/1036-32-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1036-31-0x000000000041A000-0x0000000000427000-memory.dmp

      Filesize

      52KB

      Download

    • memory/1076-23-0x0000000000400000-0x0000000000650000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/1076-21-0x0000000000400000-0x0000000000650000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2216-5-0x00000000747A0000-0x0000000074F50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2216-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2216-4-0x00000000747AE000-0x00000000747AF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2216-3-0x00000000747A0000-0x0000000074F50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2216-2-0x0000000005570000-0x000000000560C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2216-1-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

      Filesize

      32KB

      Download