Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
04/03/2025, 21:33
General
-
Target
Main.exe
-
Size
723KB
-
MD5
da83861c41845595ac896a9ba8908166
-
SHA1
35fb04158b18389c0fa05d560b44d0c90b378bac
-
SHA256
88f0200e25ae48da6d87f5bb43c0b3ca9e3af0a55544a362a4c68fca967ab790
-
SHA512
b257db872b86fc9565222694a5bf6e74f6c825a107b3ebbc38a7e19e762b143c7ad86bce111c9eb9424d5f83fe5cb057f73456fd3c19e7f68b95acbc5fb72e90
-
SSDEEP
12288:tOhqsVIRb2yrFriBdD3aTbgLxLYjQbyGzs0yROS44MERXjI7Uh0TAXP6KH37gi:ohDsDhCU/gLijQbyGzs0yQaMKjI7kXjl
Malware Config
Extracted
quasar
2.1.0.0
Office04
45.61.140.75:7812
VNM_MUTEX_DIBuVCpZfDcrHCFft2
-
encryption_key
q8RpA86xyuUHuOrxUGXa
-
install_name
Windows Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Service Host
-
subdirectory
SubDir
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
Stormkitty family
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Venomrat family
-
Async RAT payload 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 7 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Main.exe"C:\Users\Admin\AppData\Local\Temp\Main.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"2⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Service Host" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Service Host" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sTwAcJEOo9M6.bat" "3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Roaming\crack.exe"C:\Users\Admin\AppData\Roaming\crack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC8EA.tmp.cmd""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
2System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
5.0MB
MD5c5ec8e3a3ac8a0b4def250704fadbe97
SHA10673f991bef6c568e04e37ae93567ab6369b8b46
SHA256d72959f1ac7ba38109198851384bac6b086b0b4d859334719d8898b81ce4ca70
SHA5122094ed53e365418bfc58ea71947280e71f712a20a28c1f49c44b3128032796a3066323a717dc74e4240fd03187c007660b285a5a300d5603d68ae61847e562d0
-
Filesize
210B
MD511ecca2b71ac84652c136f585d674765
SHA1572ca5c510fa50d1c42b6396a12175ad910f3a28
SHA256739ac42be90c9f9c7ab3beaf026150cbd699630333a4846d7aebdfc227a27432
SHA512c89447f92d2b589a6bee085435422b73bec14b4c3f8beea7002bfcbf40f59316804c0d4ede8a4eb7df10182e80f5b05919fbcc9fecbd98d44fa719194f55d14a
-
Filesize
151B
MD58263131ecf236dfdbdcd4d459a8ffb56
SHA1ec4bf1647e9c284586dd9cd0e35d169078739bf2
SHA256b819b9ce76bcd363726cc6b02ad96b86c7116b566ba27c5ae77c22fe9e440527
SHA512f8a91f93bf46eeb6c6ea3459648beddc1217fe262c91edf0f8dd0a67ed264913c9c0e94e83aa90c6782e63dd476608842ab15846e04c253bd72fd47cabb0341b
-
Filesize
534KB
MD5e08257dba54a675925b5fe410fb044b6
SHA14a15b592c595bae0abe7a3b160c026805700c6b6
SHA25603ebf0bf1d1017311113a4a32b757a5ad415d29301ff1c736d504beba7244621
SHA51245a343389a78269a861f99e7b1cf72c6be384043b36491b330ff48f7c940d2bcecd3d2f688adfa5b77029f39cc745926960f50d5506025726a0437d4b94bc2c2
-
Filesize
8KB
MD59215015740c937980b6b53cee5087769
SHA1a0bfe95486944f1548620d4de472c3758e95d36a
SHA256a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541
SHA5125b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2
-
Filesize
170KB
MD536e79d9c029304417b9e0a142eb22a42
SHA1ec3e50b99c320bf80cf990558da8707fbb52edab
SHA256b9b3b3630d78ed68c6cca1fb41fe51fa1626c6a58bd62387d824e344b8e451bb
SHA512d2732de13b780eff3c14a4122410f02395a2d1cc36f7c28f9d8a58f07cc20528860ff169d35ba72cb64f0f0d58ca98f5a8bd962447c33f637ef9e8a0fc3ae9c8
-
Filesize
4KB
-
Filesize
752KB
-
Filesize
560KB
-
Filesize
32KB
-
Filesize
192KB
-
Filesize
560KB