Overview

overview

10

Static

static

3

test.exe

windows7-x64

7

test.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    test.exe

  • Size

    14.3MB

  • Sample

    250204-w448eaxrap

  • MD5

    8a44ee98217bc81f0869d793eefab1f0

  • SHA1

    4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200

  • SHA256

    c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed

  • SHA512

    4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02

  • SSDEEP

    393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT

Score
10/10
ammyyadminasyncratorcusquasarrhadamanthysvidarxwormfivemsigortatestaspackv2defense_evasiondiscoveryexecutionprivilege_escalationpyinstallerratspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.208.156.62:9009

Mutex

Iuf47JITa74lSJjB

Attributes
  • install_file

    USB.exe

aes.plain
aes.plain

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

test

C2

otrodia8912.gleeze.com:3333

Mutex

123

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

vidar

C2

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Extracted

Family

rhadamanthys

C2

https://185.196.11.237:9697/f002171ab05c7/9xqdctgg.ir1fr

Extracted

Family

quasar

Version

1.3.0.0

Botnet

sigorta

C2

213.238.177.46:1604

Mutex

QSR_MUTEX_dxT1m3RtSBLlUoRqXL

Attributes
  • encryption_key

    AZfjKXCnqT1oHdxEyyKo

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Sigorta

C2

0.0.0.0:7777

13.48.129.198:7777

172.31.0.240:7777
Mutex

3b0592fc-14a1-4b8e-9803-69284ea2b6d2

Attributes
  • encryption_key

    E0BB4B221F7AADA73B9059B33A3CFF096A518413

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

orcus

Botnet

FIVEM

C2

198.50.242.157:3846

Mutex

7c8e6bec5a514abfa98e8c7d116e215a

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\GoogleChromeUpt\Updater.exe

  • reconnect_delay

    10000

  • registry_keyname

    ChromeStarter

  • taskscheduler_taskname

    Start

  • watchdog_path

    AppData\ChromeDEV.exe

Targets

    • Target

      test.exe

    • Size

      14.3MB

    • MD5

      8a44ee98217bc81f0869d793eefab1f0

    • SHA1

      4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200

    • SHA256

      c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed

    • SHA512

      4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02

    • SSDEEP

      393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT

    Score
    10/10
    ammyyadminasyncratorcusquasarrhadamanthysvidarxwormfivemsigortatestaspackv2defense_evasiondiscoveryexecutionprivilege_escalationpyinstallerratspywarestealertrojanupx

    • Ammyy Admin

      Remote admin tool with various capabilities.

      ratammyyadmin

    • AmmyyAdmin payload

    • Ammyyadmin family

      ammyyadmin

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Vidar Stealer

      stealer

    • Detect Xworm Payload

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus family

      orcus

    • Orcus main payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Rhadamanthys family

      rhadamanthys

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Async RAT payload

      rat

    • Orcurs Rat Executable

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      defense_evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      defense_evasion

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks