blankgrabber | b9b8c850493be6e607e8889371bcb565ac25fada7d27cca10230e50b253b3cd6

Sharing

Copy URL

Twitter E-mail

General

Target

21071068560.zip
Size

55.0MB
Sample

250131-kntaes1kg1
MD5

0d0b3a00e7bf055282ceae7726ce251a
SHA1

61017e694ae8036eccdf38e661930fd0415851d2
SHA256

b9b8c850493be6e607e8889371bcb565ac25fada7d27cca10230e50b253b3cd6
SHA512

2fc48b0d3c4bf7a831483c608a9cffb83aa11c637a68e5daf98792c7b637e1bcd77833e32f2325dd492b0ca77e17670680fe81cf96975c5d59fb2738ab614127
SSDEEP

1572864:UQ/J+ohl1sQ8m549qpfEBRs6B1X8Hol8Bvgy5BOJ:D+8lK8SqpfEBRswPiB4OBOJ

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

ALINAA

youtubevideos.duckdns.org:6

Mutex

QSR_MUTEX_c50LUXwDkjFdsHNXKw

Attributes

encryption_key
IyL3NZsArZqP2e5avVTp
install_name
csrssss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
csrsss
subdirectory
microsoftsa

Extracted

Family

remcos

Botnet

RemoteHost

185.42.12.75:2406

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
010325
keylog_path
%AppData%
mouse_option
false
mutex
010325-YWFFXL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  14ed02af2bfe80834dd59bd49650f5c982da1a9bf2a437450ce113eb6fcf9ee1
- Size
  
  7KB
- MD5
  
  4262c56e7745e6a4203c77550586571f
- SHA1
  
  98df4673cd065861e7b52dca9d55f836abd10872
- SHA256
  
  14ed02af2bfe80834dd59bd49650f5c982da1a9bf2a437450ce113eb6fcf9ee1
- SHA512
  
  1fa4772eb617fd3a44b53f308c939eee181c262c9619b91f1cb25913d906a426b94bd8c66cb83508dab31836fc8d410db184444b44da4d5e65dd88b29347a4b6
- SSDEEP
  
  192:Aemtzvx1X/L3YLSB5p26kL3LKLQKpJZsfjr9pT:AjZLX/LoLOp26kL3LKLQKHefjr9p
Score

8^/10

discovery persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  166bcfa4ec03b68bc4ee3fc95806f6d155575be88cbc3c4b7aa5891ca3cc6a88
- Size
  
  7.0MB
- MD5
  
  7769471020771ada31404ebb8ba50488
- SHA1
  
  aaff0d91bb02efb94d618350371453dc3c80f6f8
- SHA256
  
  166bcfa4ec03b68bc4ee3fc95806f6d155575be88cbc3c4b7aa5891ca3cc6a88
- SHA512
  
  89101f72dddf22077244b0700344b09bd68bc5f0cf6c227990106e55d2258f9710890ce333423f442cd64c314ec0e0b533f4f858fbd3fe582f14cb9b86a78bba
- SSDEEP
  
  196608:rmRwZrBuYDUWBL2V76+D3c/f/+SHSEqEglapjnfi:KmwWBL2V76m3c/eFRMf
Score

7^/10
- Loads dropped DLL
behavioral3 behavioral4
- Target
  
  18f6e53cc27bda15c98f79e76f9210bf05b1d8528b96cf4c1523a7aeec7532bc
- Size
  
  27KB
- MD5
  
  417553881da49a126f84dae69f2ace8e
- SHA1
  
  b7f6007d5ee148166fa6aac3b48efbdd44d19d9b
- SHA256
  
  18f6e53cc27bda15c98f79e76f9210bf05b1d8528b96cf4c1523a7aeec7532bc
- SHA512
  
  2627d53b45fc343242a8fb0a046e4cd8eea9f8d71f035668094e725af75d6e0d76acab7487f78e0c6d911341ed20c20e4ec3e5b41a2af2b99211790f934c4ddc
- SSDEEP
  
  384:1u0pb2XIUhQAepwAtHDhwAeL/+ZlE3O/DFJFr4cpA25DMOgr2N85l6b1iCon3/Lm:zGRKMsfen2SofiCon3/L6T+pq
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197
- Size
  
  933KB
- MD5
  
  fc281301d3036bd01fc4ab1a48dc1730
- SHA1
  
  9e6b52a0b45ad7bd4d55a98c20b1e15d121a5650
- SHA256
  
  1ecdd2baa03fa76ba2313ef30be6678fda212eaf2878d8e2b9557ad2aec9f197
- SHA512
  
  fffb60febbca27c3a7a2a6f850bdcb2e6cdc5b170149970e1a9ef00c6f710eb42dc969c6fceda0e0b5e8ad1195a7c217df939cdb398fbfc68d325bc33c058256
- SSDEEP
  
  12288:RN1905Lqnnl2Zg0gnW0X7X4sonr1Wqb1bqUXo529tVHP9pwgUVDT33rzzNedKEYl:H8qnnvGRWI0Gnl3UVP3zYG
Score

7^/10

adware defense_evasion discovery spyware stealer trojan upx
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  defense_evasion trojan
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral7 behavioral8
- Target
  
  259af5147b99b4c014aeb425aaf236fc76ab60f1aa06efa77027393854e5fff4
- Size
  
  598KB
- MD5
  
  1a3ba254d32de12dbe0904488c32a170
- SHA1
  
  765a928062c0b7af519eb014efadcf9b0f184b5d
- SHA256
  
  259af5147b99b4c014aeb425aaf236fc76ab60f1aa06efa77027393854e5fff4
- SHA512
  
  be7118c53caa6d3effc2fba079f8ecddc7e4c7b2e87ca5899719602709fd8a0a67e8a5322dfec31f9184218e31a46ccaf9d039b8018ca5248ac4795f235fd9d4
- SSDEEP
  
  6144:bKWlw1DxD1ASIAfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX2H:b7lw1DxZ5zfXeYU43fiysgfBnnl2H
Score

10^/10

revengerat discovery stealer trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Revengerat family
  revengerat
- RevengeRat Executable
  stealer
- Executes dropped EXE
- Loads dropped DLL
behavioral10 behavioral9
- Target
  
  4c8b1c9ed7ba0d921b0971a3e5de96bfdb3b18024e8880c7aaa2759f13c01316
- Size
  
  6.3MB
- MD5
  
  cd7754cff6dfeea0b5d8bb51abe32d7d
- SHA1
  
  dc88b17814ef892d1410b261b52e96684a7dd1b2
- SHA256
  
  4c8b1c9ed7ba0d921b0971a3e5de96bfdb3b18024e8880c7aaa2759f13c01316
- SHA512
  
  c0e9e8750b1a607ccd76033c2be7eee4447b199412206903c0012d3175357c27826ddb659c30382690428676978fe97d0bb9c19bc4df4fb53994937ef7adc659
- SSDEEP
  
  98304:Iqcn1rB4qecWyIFft+EGSB5Fgd41YQ6sFZ/Pee1R1+jIxnSLIJ7RC+aLW:IrBawEGmHQxq/2edcCSLGRCU
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  4cca8b360d5053a789ea822ab80261dc6f010c1c72b0d449ca8cdcaffd2e2c0a
- Size
  
  1.2MB
- MD5
  
  00f33641a6c78c9e2330100a28c4a37c
- SHA1
  
  31cee3fbe5a130c52145919c4bb903125069fa08
- SHA256
  
  4cca8b360d5053a789ea822ab80261dc6f010c1c72b0d449ca8cdcaffd2e2c0a
- SHA512
  
  ecfa5076f26ad9f13b23a7bfc78c533eb01c2e6cdf4590fe1cc4790697377b7e3b11c9ed2e5f5b9bd7f5bc6fa104f6ca83145249b159a00c203beb27a6c51f3a
- SSDEEP
  
  24576:Cct8/gOkwvlKtq0p/QXA7ipUtHb8Gzg4etPxMLToY9AzqAPWMaGzs1Db:C5YsvCq0pkA7ke4GCITo2ocj1Db
Score

10^/10

discovery quasar alinaa spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  57f8e4e1d3339c0abadc0f64fc6a4abaff19cd138724cdbb3fae5f37905547c5
- Size
  
  248KB
- MD5
  
  690387324dc7c8704a9430cdabf22a7a
- SHA1
  
  3d20c1f2f551dba4712f6dda43e87dd6cd32422b
- SHA256
  
  57f8e4e1d3339c0abadc0f64fc6a4abaff19cd138724cdbb3fae5f37905547c5
- SHA512
  
  9b44d2fee5fdb86dd3cd7a4aac74e6f984c4673130ad404c1ac22d58cb792f55ff1840264323bd27704bfaf9b0c32edb1db32a11d0cec03f965d97e180979605
- SSDEEP
  
  6144:OaE1NFRBAaSMMuYPiBjlC3EkNdBbp247hZFM:sYanMXKBd2UO2
Score

9^/10

discovery spyware stealer upx
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral15 behavioral16
- Target
  
  922cba3477ffa83332622df72c2e580fcb3bdd437952c4b6b2c096b4a094acc3
- Size
  
  22.5MB
- MD5
  
  f0c932a921fc11f589bcb13a86bc3543
- SHA1
  
  a5c4de6e71ebf2700966b18d52fb9395c59509ae
- SHA256
  
  922cba3477ffa83332622df72c2e580fcb3bdd437952c4b6b2c096b4a094acc3
- SHA512
  
  88d64a31016b10148749e45bd0f5783042f1480f1ca37c67d96d645f429b54571fed51509f8574838948e8901f027edda936b44de5b528bec1fc4f4a41439bb7
- SSDEEP
  
  393216:WK4+4s3b6D1z/y8kBXARUN2HAyStNHnS6glv1JGnm+eN2v9KSYkGK:WKMsb6D1zQBwo0tSthSXlvl+eMvghkGK
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  b5bd1068644f0c38e7aa1cb38dcc40eacf146be9b43d8fd865fddee61ea9a588
- Size
  
  4.8MB
- MD5
  
  db497afaaa939e9bd7706520873de8c7
- SHA1
  
  9a032838d8587bd1e039220bb1bbe28b1c569ea5
- SHA256
  
  b5bd1068644f0c38e7aa1cb38dcc40eacf146be9b43d8fd865fddee61ea9a588
- SHA512
  
  a872f202d114739d2c8dbcafafdf88191adf6a3df51ab36c595371ab0b0343d3e8a838b07443f58d2d36251de8c027ad46a642317132bb5f088a70842b4f7959
- SSDEEP
  
  98304:0qwXy+as4+EAF3bgrYIseiqvGyS0Z4VeNzXrCAuO9X2egv+qvDfLdYEnrQtp:0qw1VFkrOeXGt24VezXr1y+4DjdBnEX
Score

10^/10

remcos remotehost discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524
- Size
  
  6.9MB
- MD5
  
  dd7004fc866d6f2872e0771b24d8d206
- SHA1
  
  adc25bdc1d43c2fe970870f3f1152029056591f2
- SHA256
  
  da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524
- SHA512
  
  bb64b65790b28cbf78723e49ff21ecfe6d081f41ccccbdc2df1d3ebbd52c05f3e623c49d45820307bd1218bd8412a5ef574870f28e22898f7dfbbdfa72e69dee
- SSDEEP
  
  98304:Hr7YzdbM+Q2y+RvK/+6jOjFgFQlwq4Mjk+dBZtu9xTtwz/aer6/BbLqledV1BqDS:Hr7e/vQOjmFQR4MVGFtwLPNledV1YnO
Score

8^/10

upx collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral21 behavioral22
- Target
  
  ec7b605aaefd00f0507f43c78590266b74345bc9308eba26fc542b6a0ae5e133
- Size
  
  6.9MB
- MD5
  
  04ce0c6078e128a91ef031f68304b2c5
- SHA1
  
  4f34f7395f4bcc9eba528cefcf43b83689ea388d
- SHA256
  
  ec7b605aaefd00f0507f43c78590266b74345bc9308eba26fc542b6a0ae5e133
- SHA512
  
  38cc2b6ecf13f725041700cf8ce4f13796fd12fd49171221f083673201d886174b61d45d9665462373dd2115507eadaa82e44f0e59fd72707400d58f19a73590
- SSDEEP
  
  196608:y283kdaXMCHGLLc54i1wN+DrRRu7NtbFRKnZMZDYhmh1wlxN8:b/cXMCHWUj7rRQ7XbFsn6ZUEWN
Score

9^/10

discovery
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Loads dropped DLL
behavioral23 behavioral24
- Target
  
  ff70347ce0294dc6741692164f65608d9bb47e396486c50da08a94a5b3cbe50c
- Size
  
  20KB
- MD5
  
  3f4ef305314bd83bf8f35c93eb02e56b
- SHA1
  
  545dfee7ed9699ba16f24d633855307e8a6fac42
- SHA256
  
  ff70347ce0294dc6741692164f65608d9bb47e396486c50da08a94a5b3cbe50c
- SHA512
  
  a9ad43f636851d78d9c84aa9b1853f901df32c0ae002fbfa16b127a71c2a3adf9181a1c1dd63bdbee05ee8d3604f9e592b3a22b91741c8686a955fa9c292685e
- SSDEEP
  
  384:Jys1v3fDuE0pRMSXSmhSTzDE6HnN9ng0ussJ:ssl3fD3EXSmgTzBNPussJ
Score

1^/10
behavioral25 behavioral26