General

  • Target

    tweaks.msi

  • Size

    1.8MB

  • Sample

    250308-x1s7ea1n14

  • MD5

    4ec71a0199c815d38a72dbde16d35640

  • SHA1

    c76cea914df8c3522736d70a38b39bc6feb5bbe9

  • SHA256

    74bcbc7848025dcfe4782ce25474d2cae757f9562ac42a334321a0436884df4e

  • SHA512

    6ea57799559ee6274eb508a1e318a21ec33fb2f90ce3521bd701bdd836357cee956958ffb7f33bbe410fef1cf5661de33f0c8271f64094f2725fb1b56cac452f

  • SSDEEP

    49152:zpRhllcgaOszTHCxdiIHLSoJTRI9eePsfhz3aXuHEU:zpv9svCKIHLtTRFekfhzqXuHEU

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/Pluhh132/2/raw/refs/heads/main/1release.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

pluh

C2

91.51.36.43:4847

Mutex

cc3433dc-2db7-4a06-8bf7-ab06c98ae722

Attributes
  • encryption_key

    15F7B7E72381E729EFE3F3EC04B9B82B2C52ECB9

  • install_name

    RuntimeBroker.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    RuntimeBroker

  • subdirectory

    RuntimerBroker

Extracted

Family

xenorat

C2

2533qwefs-64288.portmap.host

Mutex

25682-25636-235364376-254262

Attributes
  • delay

    1000

  • install_path

    appdata

  • port

    64288

  • startup_name

    System

Targets

    • Target

      tweaks.msi

    • Size

      1.8MB

    • MD5

      4ec71a0199c815d38a72dbde16d35640

    • SHA1

      c76cea914df8c3522736d70a38b39bc6feb5bbe9

    • SHA256

      74bcbc7848025dcfe4782ce25474d2cae757f9562ac42a334321a0436884df4e

    • SHA512

      6ea57799559ee6274eb508a1e318a21ec33fb2f90ce3521bd701bdd836357cee956958ffb7f33bbe410fef1cf5661de33f0c8271f64094f2725fb1b56cac452f

    • SSDEEP

      49152:zpRhllcgaOszTHCxdiIHLSoJTRI9eePsfhz3aXuHEU:zpv9svCKIHLtTRFekfhzqXuHEU

    • Detect XenoRat Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Modifies file permissions

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Enterprise v15

Tasks