Overview

overview

10

Static

static

1

URLScan

urlscan

https://mega.nz/fold...

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://mega.nz/folder/xnMzFRCA#dIVGf0RVmtFmXNwiM5kPcw

  • Sample

    250126-qhjrpatlcl

Score
10/10
quasarxwormliminaldiscoveryexecutionratspywaretrojan

Malware Config

Extracted

Family

xworm

C2

193.31.28.181:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    RunTimeBroker.exe

Extracted

Family

quasar

Version

1.0.1

Botnet

Liminal

C2

193.31.28.181:4782

Mutex

b218401a-4db2-4567-adb2-e6027914b273

Attributes
  • encryption_key

    EF87D4BEA027C771BB62A5CF66FDFCF7F52A8A8C

  • install_name

    cmd.exe

  • log_directory

    Logs

  • reconnect_delay

    1000

  • startup_key

    cmd

Targets

    • Target

      https://mega.nz/folder/xnMzFRCA#dIVGf0RVmtFmXNwiM5kPcw

    Score
    10/10
    quasarxwormliminaldiscoveryexecutionratspywaretrojan

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks