Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
04/03/2025, 21:24
General
-
Target
Bitcoin Flash Sender.exe
-
Size
1.0MB
-
MD5
fe4cf784ce07deb238da9cfc876b2c1f
-
SHA1
855c8c3535dff682b86ed8a17ede5f4e8bd068f8
-
SHA256
2826ba31add950b8bad6c19805f8a6cf0efc4710ac35c54acb19afc09f72c057
-
SHA512
51c225d338dc5a1e07f94dffba252a05b84d198444ed174ee0d7aeaaa27729a76b1c2389eaa03447f3f1cea02bff13cc97190bb70687bd535dd3874e989d8c81
-
SSDEEP
24576:o7uzTHUpq1n4CBQpUOgyuiSjKg5tVlHmxtC/ulI4Xf:oKT0pk4CBQrg2jgGjlb
Malware Config
Extracted
quasar
2.1.0.0
Office04
45.61.140.75:7812
VNM_MUTEX_DIBuVCpZfDcrHCFft2
-
encryption_key
q8RpA86xyuUHuOrxUGXa
-
install_name
Windows Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Service Host
-
subdirectory
SubDir
Extracted
xworm
5.0
185.252.232.158:7812
b0c5WZixE6SqaTDD
-
Install_directory
%AppData%
-
install_file
Windows Defender Security Service.exe
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
185.252.232.158:7812
64.23.232.116:7812
vsvf
-
delay
1
-
install
true
-
install_file
Windows Security Health Service.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Contains code to disable Windows Defender 4 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 2 IoCs
-
Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 4 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
Stormkitty family
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Venomrat family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Async RAT payload 2 IoCs
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 7 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bitcoin Flash Sender.exe"C:\Users\Admin\AppData\Local\Temp\Bitcoin Flash Sender.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"2⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Service Host" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Service Host" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\S0ml0L2KDpQU.bat" "3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Roaming\crack.exe"C:\Users\Admin\AppData\Roaming\crack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBC2E.tmp.cmd""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Security Service" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Roaming\Cracked.exe"C:\Users\Admin\AppData\Roaming\Cracked.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB220.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9703EDF1-E882-419C-9D14-1378BF27327D} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Query Registry
2Remote System Discovery
1System Information Discovery
2System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
210B
MD57fb36b684dbe8d9ff36fef0d34af065d
SHA139aece81f12a0c369abf7f654fdc2c03d85f8ae0
SHA2563dd6a066af225fc15262c1ebceaf0f7f55630aed716153f0b00b978bf77b6535
SHA512e355947fe3cf25ebda167d0cb0d9c1cbd73c2081ceadd8df8cd385b7aa700143e5582f117b6d81f05bdbe4dad394033e0f8865a2807502a33a79c02c89d356b9
-
Filesize
5.0MB
MD513cd3dc80ad94c33c6b0aa087e917694
SHA130818dd4f9ba1c238f1828c35350fab0d3d38022
SHA256c09805aec6fe8822572673e7fb38a81c6394e74a28dc7b62e843d9e19cbb9cc6
SHA5128d671bbeacb2a54adfec2bd841b617c0a63e571393831bc7508792222b834a2b7d746415b9906a133b5d581a76b2c283f6eed8468f4a71b9a175c2ad9e254874
-
Filesize
175B
MD5549d96ff6993e77677d8e895e3f111a0
SHA17d6e0240fb1f73fcdc9cc6653a1f033adc5bfee7
SHA2562ad9f4117ad86320eeca10fc3569b93bd1b717dde503ed702be8256549586db6
SHA512e5f5bf65edd1ed0e2802b42f8997aeb97fa05e515d5487ecb27ce9c03d97c0386988599ef8891b556fb2a753a6ea1a238171adacc2bb057513a135bdfbdf453b
-
Filesize
151B
MD5895e96a9669ebb2d39864e5f5df2d8fc
SHA13c590de28898ac32c0c5a162485299034e7da7b1
SHA256f36443050e4e35c041ca4b1ce1eb7f6d7f5b6d7ef826b2bdfd31e40eeccf218e
SHA51299273715bb6dbbd9dfcc161512418e04d1a91e3cca98f495084d0a93382e2da06ef47202794252280f3ce7628c810527d21c6d46413e7da7a7ee28c5490c4c61
-
Filesize
74KB
MD50dfa83a82f6418c73406d78296de61be
SHA1dd7eceef8a434c43e0751e180bf714e08771d336
SHA2568d27369ffa8b29d561fa9daf485be14d2fc00287bb1c69d4c84d514891c8db5e
SHA5129a4b026250b18c29ab7dd48203f321c2ef2f12695bd2dcb52ebbc15001c8ddf019d5a7e04da056c50c1881ce269d1810259bf6d04b61f471e8751b7192fc73d4
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
42KB
MD57a5ea6a11fdb03f789a2246aa8ff1501
SHA15e1289096418c7f8b5901963c34c89f9902cbbba
SHA256bde45f854d6c434717ea7b59587e020c2403123728c49deb56cba8132de5e96a
SHA512cfca94f3d78675bbe56f02119e3943f7067898d7b7d14e91bca7220a235665363f69930acdeb9f7df388a49a6b62812bcf74bbffad20a96915257b54c4e78a73
-
Filesize
534KB
MD5e08257dba54a675925b5fe410fb044b6
SHA14a15b592c595bae0abe7a3b160c026805700c6b6
SHA25603ebf0bf1d1017311113a4a32b757a5ad415d29301ff1c736d504beba7244621
SHA51245a343389a78269a861f99e7b1cf72c6be384043b36491b330ff48f7c940d2bcecd3d2f688adfa5b77029f39cc745926960f50d5506025726a0437d4b94bc2c2
-
Filesize
8KB
MD59215015740c937980b6b53cee5087769
SHA1a0bfe95486944f1548620d4de472c3758e95d36a
SHA256a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541
SHA5125b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2
-
Filesize
170KB
MD536e79d9c029304417b9e0a142eb22a42
SHA1ec3e50b99c320bf80cf990558da8707fbb52edab
SHA256b9b3b3630d78ed68c6cca1fb41fe51fa1626c6a58bd62387d824e344b8e451bb
SHA512d2732de13b780eff3c14a4122410f02395a2d1cc36f7c28f9d8a58f07cc20528860ff169d35ba72cb64f0f0d58ca98f5a8bd962447c33f637ef9e8a0fc3ae9c8
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
560KB
-
Filesize
32KB
-
Filesize
192KB
-
Filesize
560KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
560KB