Overview

overview

10

Static

static

3

DarkStreamtool.exe

windows10-ltsc 2021-x64

10

DarkStreamtool.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DarkStreamtool.exe

  • Size

    4.1MB

  • Sample

    250204-n5fbnsxkem

  • MD5

    6d9183425590b05efc503b0d0e780f49

  • SHA1

    e3ac46bf52e48cf98988bc908a3a3de431f735a4

  • SHA256

    8fa822e17a1199c462d0c7c417f86771e2049934bb469f15cfa464168d2734c8

  • SHA512

    7fdbe76f8b502197972255cefd1acd5870052f7a2c2e2b4fdefe62cfd8d7870a93b2e24ff77f113bfe4f7c604ff8df7e54228091ff82cd8128886492365f701c

  • SSDEEP

    49152:DBFc8ar83KZDGR8+IMJupLUFFFFFA9MQ195PS096hbHITCOPyWtjXQStUCV4S3I:DBCzDCR8dKFFFFF5IS096ZlGtSYIQJ

Score
10/10
quasarxwormsystem usediscoveryexecutionpersistenceratspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

System Use

C2

search-varies.gl.at.ply.gg:4782

Mutex

b190c4c7-b07b-4e91-b02a-b4c0db119749

Attributes
  • encryption_key

    7EFB9B56C32456D72E73A7558DE372F4393A10ED

  • install_name

    Client.exe

  • log_directory

    Discord

  • reconnect_delay

    3000

  • startup_key

    Discord

  • subdirectory

    SubDir

Extracted

Family

xworm

C2

127.0.0.1:38692

search-varies.gl.at.ply.gg:38692
Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

Targets

    • Target

      DarkStreamtool.exe

    • Size

      4.1MB

    • MD5

      6d9183425590b05efc503b0d0e780f49

    • SHA1

      e3ac46bf52e48cf98988bc908a3a3de431f735a4

    • SHA256

      8fa822e17a1199c462d0c7c417f86771e2049934bb469f15cfa464168d2734c8

    • SHA512

      7fdbe76f8b502197972255cefd1acd5870052f7a2c2e2b4fdefe62cfd8d7870a93b2e24ff77f113bfe4f7c604ff8df7e54228091ff82cd8128886492365f701c

    • SSDEEP

      49152:DBFc8ar83KZDGR8+IMJupLUFFFFFA9MQ195PS096hbHITCOPyWtjXQStUCV4S3I:DBCzDCR8dKFFFFF5IS096ZlGtSYIQJ

    Score
    10/10
    quasarxwormsystem usediscoveryexecutionpersistenceratspywaretrojan

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks