General
-
Target
tweaks.msi
-
Size
1.8MB
-
Sample
250308-x1s7ea1n14
-
MD5
4ec71a0199c815d38a72dbde16d35640
-
SHA1
c76cea914df8c3522736d70a38b39bc6feb5bbe9
-
SHA256
74bcbc7848025dcfe4782ce25474d2cae757f9562ac42a334321a0436884df4e
-
SHA512
6ea57799559ee6274eb508a1e318a21ec33fb2f90ce3521bd701bdd836357cee956958ffb7f33bbe410fef1cf5661de33f0c8271f64094f2725fb1b56cac452f
-
SSDEEP
49152:zpRhllcgaOszTHCxdiIHLSoJTRI9eePsfhz3aXuHEU:zpv9svCKIHLtTRFekfhzqXuHEU
Static task
static1
Behavioral task
behavioral1
Sample
tweaks.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
tweaks.msi
Resource
win10v2004-20250217-en
Malware Config
Extracted
https://github.com/Pluhh132/2/raw/refs/heads/main/1release.exe
Extracted
quasar
1.4.1
pluh
91.51.36.43:4847
cc3433dc-2db7-4a06-8bf7-ab06c98ae722
-
encryption_key
15F7B7E72381E729EFE3F3EC04B9B82B2C52ECB9
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
RuntimeBroker
-
subdirectory
RuntimerBroker
Extracted
xenorat
2533qwefs-64288.portmap.host
25682-25636-235364376-254262
-
delay
1000
-
install_path
appdata
-
port
64288
-
startup_name
System
Targets
-
-
Target
tweaks.msi
-
Size
1.8MB
-
MD5
4ec71a0199c815d38a72dbde16d35640
-
SHA1
c76cea914df8c3522736d70a38b39bc6feb5bbe9
-
SHA256
74bcbc7848025dcfe4782ce25474d2cae757f9562ac42a334321a0436884df4e
-
SHA512
6ea57799559ee6274eb508a1e318a21ec33fb2f90ce3521bd701bdd836357cee956958ffb7f33bbe410fef1cf5661de33f0c8271f64094f2725fb1b56cac452f
-
SSDEEP
49152:zpRhllcgaOszTHCxdiIHLSoJTRI9eePsfhz3aXuHEU:zpv9svCKIHLtTRFekfhzqXuHEU
-
Detect XenoRat Payload
-
Quasar family
-
Quasar payload
-
Xenorat family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Modifies file permissions
-
Downloads MZ/PE file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1System Binary Proxy Execution
1Msiexec
1