Overview

overview

10

Static

static

3

COMPROBANT...GO.exe

windows7-x64

10

COMPROBANT...GO.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    11022025_1701_10022025_COMPROBANTE de PAGO.rar

  • Size

    846KB

  • Sample

    250211-vjwj4atpdx

  • MD5

    d4e69dda4809b97af14c2099cee1caec

  • SHA1

    c16d805411ea15c550e960e7aa915b53cfdf73a3

  • SHA256

    315a4ecb30f4abca83a84677a5c19936d2c0818f1775cda187d09695518a73a9

  • SHA512

    d12ca8fbed6cb6a6aa0d0034e88d9a449145864ed6c58167a1dce80b6442bfc65893da0dd63d3e52787543ee801b979614cf1996dd90325065682a00a083f060

  • SSDEEP

    12288:eEjyfRHb6dlI2+qk5/jBPsYFdQ7ECXA3av8dk2fWz0/zTQ7v3s2WmYqD3B88M0Sw:eEGlt2+XB7AnQ3avG7f3fF5q188Rf

Score
10/10
quasarstroy3adwarediscoverypersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Stroy3

C2

twentyfivev.crabdance.com:61538

127.0.0.1:61538
Mutex

QSR_MUTEX_jgYB0FbAXwuBLBMCAM

Attributes
  • encryption_key

    7ghxCAmzO7RIdS51gVaQ

  • install_name

    cpdater.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    cindows cpdater

  • subdirectory

    cindows

Targets

    • Target

      COMPROBANTE de PAGO.exe

    • Size

      854KB

    • MD5

      e56d988fd3f4b747bf69c724085878d6

    • SHA1

      876cbcce543f49cf190a12c4a07c3139247e05ab

    • SHA256

      e490dc9257f951ed3e61055852315cac3f13dd404f88d546a06010639fb55f93

    • SHA512

      06f1c1e8c48340dda4115d0b5221502ad90a5e92e1eafc351d765ec91343a91e5bda8fb85d8cee1601a69800dd5502492310aa01b32aba5a3b11ba9120f881d6

    • SSDEEP

      24576:JRuPGExISnGAvq4TYlCjXZfQVbhImUTdlmajaO:z96wgYUjX9uhnU5o

    Score
    10/10
    quasarstroy3discoveryspywaretrojanadwarepersistenceprivilege_escalationstealer

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks